[INTERVIEW] What is Success for Data Discovery and Risk Management Programs?

[INTERVIEW] What is Success for Data Discovery and Risk Management Programs?

July 23, 2022

Recently, NowVertical Group’s Director of Customer Success, Gareth Tranter, sat down with #RISK Podcast's Executive Director, Nick James, to unpack the question: What is Success for Data Discovery and Risk Management Programs? #RISK is more than just a podcast, it’s a community that comes together to debate and learn, and most importantly, break down silos to improve decision-making.

Watch the podcast or read the Q&A highlights.

untitled design 1

Nick James, #RISK Podcast Host:

I love the term customer success. It seems to have evolved out of the growth of SaaS and subscription-based business models. So, my first question is — how do you measure and manage customer success?

Gareth Tranter, NowVertical Group:

Really good question. Customer success is exploding, right? I think there were 10K new job posts on LinkedIn during 2021. And they're expecting almost double that growth again this year. It’s similarly echoed by the growth in the role of Chief Customer Officer. I think a lot of people would look towards Nick Metter, formerly of the Salesforce organization, as the grandfather of customer success. 

But what is it today? 

How do we manage it and how do we measure it? 

Well, that's actually tied to two very, very concise things: that is, what's your solution designed to do for a customer; and how the customer wants to measure the output and the return on investment from working with you. Vendors make the assumption that because we have supplied a solution, we have supplied a product that the customers both know how to utilize and how to value it.

And actually that's our job, right? 

That's our purview. 

We built the product, right? We know what we're doing with it. We have to ensure we're leading customers to water. We have to ensure that they know how to get the best value from the solution. If they don't, they won't be a customer for life. And when we look at the market right now, most tech organizations are saying somewhere between 70% and 80% of their revenues are coming from their install base. 

And as the market's tightened, that's getting ever more prevalent. We have to take care of customers and that means every customer's measurement is slightly different. They are going to be different on a customer-wide customer basis, how you scale that and how you build programs to address that. That's the complex part, but the answer to the exam question here is: how is a customer going to get value and output from an investment with you as an organization?


Nick James, #RISK Podcast Host:

Thank you that that was very, very well-explained. And obviously the risk of losing customers is huge. We live in a world where every company is a data company by default. I'd like to ask you how organizations can unpick the data they hold to mitigate risk of losing customers.

Gareth Tranter, NowVertical Group:

So some lessons learned from working with lots of customers. I think we need to break the idea that we only talk about customers and opportunities in respective structured data. 

Unstructured data has been around just as long and is proliferating at scale like staggering amounts year-on-year. And every customer I've worked with in the early phases would believe that most of their customer data is tied very tightly in, securely in, structured data sources. 

Actually the reality of their data estate would say quite different. And that creates risks because unstructured data cannot be secured in the same way that structured data is secured. There's too much of it. It's too widespread. And to be quite frank, it will be too expensive. 

So how do you mitigate the risks of losing customers? 

Well, understand where your data is to get to grips with where that data lays and understand the difference between data that is redundant, obsolete, and trivial, the stuff that you're keeping and you really don't need to because once you've got rid of that, all that you have left is either value or risk.

It makes it much easier to see.

We often use a program terminology here called 'don't feed the elephant.' Too many organizations try really hard to do everything all at once. Where's the risk, where's the value, where's our customers, et cetera, in both structured and unstructured environments. And then point it all together. 

There's too much, even in a small company, there's almost too much data to do that. So start the program, pick the things that you can get to really fast by unifying people, processing technology. And very quickly, you will start to see where your risks lay and you will be able to value them, and you will be able to put a price on what it takes to secure them and then find and understand the value of what data you have left.

Nick James, #RISK Podcast Host:

Terrific. I love that phrase or that saying, “don't feed the elephant.” I'm gonna steal that for our own organization. Do you think that most organizations actually really understand the value, and therefore the risk, I'm assuming they've done the, what do you call it? The ROS test - do they understand the risk associated with the data that they hold?


Gareth Tranter, NowVertical Group:

I'm going to be really controversial, Nick, let's get some views. I'm gonna be really controversial. No, I don't think they do. 

The reality is, it is in a structured data environment. There are regular checks we can do fuzzy matches and logic and all those kinds of wonderful things with databases… But that still doesn't stop humans inserting the wrong type of data into unsecured fields or free text fields. 

Unless you are looking for specific pattern matches, utilizing things like NLP which is part of our technology stack. You would never spot a free text field that had the wrong type of data in it and particularly PII or high-risk data and sensitive data. So that's kind of the structured piece. The unstructured piece is even harder without NLP particularly since you've got no way of understanding what risk is in your unstructured estate.

Often they'll take an organization will take a small slice of a file share somewhere and spend hours painstakingly opening documents and/or just reviewing metadata. Neither of those things tell you what the extent of the risk is in your unstructured data estate. 

We can, just being frank, we can, and we do, and we do that at scale. NOW Privacy is built with NLP - natural language processing - inherently in the text stack. We're able to look at every single document and every single type of file in every single area of your unstructured data estate. And then use that NLP technology to understand where the risks are. 

Stuff that pertains to personally identifiable information unsecured in unstructured file share. We find that, we find it fast. We can take you to exactly where it lies and, in the very near future, we will be able to help you remediate those problems as well.

The problem is, you can't value the risk associated with the data you hold, unless you know exactly what is there. In many organizations, and I've held a number of webinars on exactly this topic, we're using a qualitative analysis for unstructured — not a quantitative analysis to understand that risk boards have been okay with that. But we're increasingly seeing, with things like CCPA and GDPR, a renewed push for governance and value in data. We're increasingly seeing boards particularly asking for something better than just a qualitative analysis of data estates. That's where we step in.

Nick James, #RISK Podcast Host:

As a lay person. It sort of reminds me very much of the Donald Rumsfeld quote: “There are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know.” 

And unless you actually know what you got, you can't really start the whole process.

Gareth Tranter, NowVertical Group:

Absolutely. We know what we know, but we don't know what we don't know. Absolutely. In a perfect world, we would have known unknowns and unknown unknowns that the problem is particularly an unstructured data source. We either know it or we don't.

Even in smaller organizations, unstructured data sources — and remember when we're talking about this sort of thing, we're talking about email, we're talking about SharePoint, we're talking about Slack, we're talking about MS Teams, we're discussing file share locations on and off premise in places like Google  or Microsoft Office 365 — there's data everywhere. 

You opened up with every organization as a data company, this couldn't be more true. It is absolutely everywhere. Drawing the docs between all of that and understanding what is there at scale is becoming unmanageable by people.

Nick James, #RISK Podcast Host:

One area I know that you are particularly keen for organizations to understand is the hidden dangers of data in the M&A process — mergers and acquisitions. Could you share maybe an example of where this might have gone wrong?

Gareth Tranter, NowVertical Group:

Yes, in summary, I can give you some high-level information. I think there's a couple of places that you need to look at. The first of which is, when organizations get together and decide they want to start making some decisions about how they would value the business. 

In question, they tend to look, again, at a small slice, a capture of a customer structured tool set and they will do some analysis on that and figure out how much they value each customer based upon the opportunities that are perceived there. Very rarely does the organization that's acquiring go any deeper than a slice of that capture. And very rarely does the organization that's looking to acquire, ever look or ask for knowledge of unstructured data. So there is stuff absolutely being left on the table.

It's not deliberately obfuscated. It's just not thought of as part of the process. As the business that may have spun out part of a company to another organization to then find 4, 5, 10 years down the line parts of your data estate that are full of information, both corporate sensitive and personally identifiable information, as well as general RO data that actually now belongs to a different business that you're contractually stated you would give all your data over to, is not uncommon. And that is the reality of it. 

Because again, organizations don't know this stuff's there in a lot of cases, it's probably not supposed to be out there, but it is. And again, it's an unknown unknown. If you find yourself in a situation whereby you are left with a whole lot of data that belongs to someone else and that comes with some difficult moral, ethical and legal complexities.

Nick James, #RISK Podcast Host:

We sort of touched on it earlier, or you touched on it, but one big thing that has changed for everyone over the last two to three years, is the phenomenon of people working from home or working from anywhere. What additional risks has this created?

Gareth Tranter, NowVertical Group:

In my opinion, data security has always been a hot topic, but it's getting increasingly hotter. And, unstructured is a difficult place to manage data security effectively because of its scale and complexities. As I said, when you get into SharePoint sites and, Office 365 and Google Cloud and all these things are growing all the time. And with people working at home, what we're seeing is a need to electronically share data faster.

A good example of how that can happen, is an analyst might take a capture of a structured data system that contains customer data for a very specific team to utilize, or even a very specific individual to utilize, and analyze. Often that file is password protected, but then emailed.

And I say, often, because I can tell you that it's probably only 50% of occasions that it's properly secured before it's sent. It's then put into an email and it's sent out. They will often take that file out of the email and save it to a local drive or a One Drive or something similar. But it will remain in the inbox. 

Then often the wider team will want visibility of that data and it's then forwarded on. Now it’s in two sent boxes and probably 5, 10, 15 inboxes. Every one of those will take a save of that data to a local drive, One Drive, desktop, or similar. 

Then all of a sudden we've got one incredibly risky file, just one risky CSV, for instance, that should have been for one person, but has presence in 20 to 30 locations in the space of hours. 

That's what remote working has done. Instead of being gathered around a laptop in a hot desk environment or a meeting room, we're having to share data more effectively and legacy ways of working, we send stuff by email or via chat. It leaves a thumbprint. It leaves a copy and that copy is not secured in the same way that the data was secured in a structured environment. And it becomes invisible.


Nick James, #RISK Podcast Host:

I guess one other aspect of that is the temptation to CC so many people on an email as well, because you're not in the same office, because you're not in the same place that you used to be, oh, you wanna make sure that everyone is aware of it. So you, you CC, or in some cases BCC people on it, and then that proliferation just accelerates.


Gareth Tranter, NowVertical Group:

Yes: It just grows and grows and grows. As I said, what started off as should have been one file for one person, actually has a footprint in hundreds of different locations and hundreds of different data sources often in a single organization. 

This is my point, is it proliferates, it just keeps on growing. You find stuff everywhere. And again, that's where technology that can do similarity matching and pattern matching to understand where that document may pop up in different data sources, and be able to take action to remediate both the risks within it. The data sources themselves are critical.

But again, if the organization doesn't know that that email or team chat or Slack is being used to pass that sort of data around, how can they ever take steps to secure it properly?


Nick James, #RISK Podcast Host:

Yes, we're all living in a world where people take shortcuts as well. People that work together on a regular basis might say, oh, it's easier to do it this way or easier to do it that way. And, then it might even step outside of the organizational boundaries.

Gareth Tranter, NowVertical Group:

Agility is everything, right? We're all under pressure to make money, save money, or mitigate risk. And, we've gotta do all of those things with less resources — but faster. So, we're relying more and more on technology to do those jobs, to help us get there. 

That often means we're creating workarounds to establish organizations, organizational security policies to make stuff happen. You know, it's an uncomfortable truth, Nick, for a lot of organizations, but it is a truth. You can't shut this stuff down… Actually what you need to do, is find ways of monitoring your data security and your data posture. Then you can correctly and adequately identify the risk and the opportunities that lay there.

Nick James, #RISK Podcast Host:

Gareth, this has been absolutely fascinating for me. I've got one final question that I've asked a number of people, and it's very much from a work-perspective, not necessarily from a personal-perspective, but we are living in very strange and often difficult time. There seems to be something coming at us almost every day, whether it's political unrest or a heat wave, or in the UK, a train strike, or an upsurge in COVID, or it's just the most strange times that I've ever lived and worked through. But what’s one thing that keeps you awake at night?

Gareth Tranter, NowVertical Group:

It's the assessment, isn't it? A real-time media and what have you, it does keep the news very clear and present. I mean, from a work perspective, the thing that keeps me awake at night is my customers and, and their value Nick, truly, we thrive by making sure customers get to the value that customers get to output for us. 

That's data security for us, that's governance, risk and compliance. And for us that's privacy — there are key use cases. That's what makes the Now Privacy tool tick. There are still hundreds of thousands of organization that believe there is either a single technology to fix these problems, or that they need an army of analysts to fix these problems when in reality, the right program of work that unifies people process and technology will get to those outcomes far, far, quicker and more sustainably in the long term.

And I wish I could just educate more people. I wish I could help more people get to those outcomes. It's what I live and breathe. 

That's genuinely something that I get in trouble for waking up at 4:00 AM and writing notes on my phone for it's very much a part and parcel of life for me. It's sustainability. How can we help customers understand that these things are not one-time fixers with a small piece of technology, or that they require hundreds of thousands of analysts to solve a problem. And therefore the costs too high and we don't wanna do it.

Nick James, #RISK Podcast Host:

Terrific. Gareth that's, it's been a really good 20-minutes. And I'm looking forward to catching up in-person. The one takeaway for me on this is ‘don't feed the elephant.’ So I'm gonna be going out and talking to people in our organization about exactly that and, Gareth, thank you very, very much.

---

Gareth works with NOW Privacy to provide visibility and security across massive holdings of unstructured and structured data sets for enterprise businesses in banking, finance, government agencies, and more. To learn more visit our NOW Privacy page here. Contact us by filling out the form at the bottom of the NOW Privacy page, or send us a note via our Contact Us page here. To watch the whole interview, visit our YouTube Channel and watch it here.

Want to learn more about NowVertical Group?

Please fill out the form and someone from our team will be back to you within 48 hours

Get in Touch
Optional