Roundtable Discussion Part 1: How a Large Telecommunications Corporation Addressed an Influx of Regulations Through Data Governance

Let’s start by discussing the background of the project. Can you summarize the scope of work to date?

Frazier: Like many large organizations with global operations, data is the connective tissue that connects each segment of a business. Throughout a business lifecycle, data is collected in data lakes, cataloged in data warehouses, modified in applications, stored in databases, and called, passed, transformed, analyzed and used as it makes its way through the ever expanding web of structured systems that are common in today’s organizations. For the client, a global telecommunications company, a steady flow of information is critical to serving its customers, from service orders to data needed by technicians in the field, and this data must be tracked, managed and secured throughout its lifecycle. Our practice was selected to provide a multi-disciplinary team of experts and programs to help meet the client’s legal and compliance obligations, optimize business outcomes and support the needs of all business units.

Ingber: Throughout the project, we’ve collaborated with our teammates in other segments to deliver fulsome expertise across regulatory risk, governance best practices, technical assessment and architecture, technology solutions, analytics and other key factors that relate to the flow of data throughout an enterprise and the ways that data is secured. We’ve worked closely with internal stakeholders and custodians and the client’s external vendors to identify and classify each data and information source. The client had an extremely diverse technical landscape, with thousands of applications and databases, based on dozens of technologies, code bases, database types, etc. An enterprise-wide system inventory was conducted and analyzed to enable us to create individualized solutioning approach for each application and underlying database(s). Throughout the project, while the client remained highly focused on certain regulatory issues, we kept a broad view to ensure each decision accounted for overall program success and holistic data governance.

What challenges has the client faced? Are these common issues that come up in data governance projects?

Ingber: Many of this client’s challenges are indeed common issues other large organizations face when trying to bring control to their data. Considering that the global volume of data consumed worldwide hit an estimated 59 zettabytes in 2020 and IDC estimates that due to the acceleration of rich data creation and consumption during the COVID-19 pandemic and shift to widespread remote work, the data universe will continue to grow by 26% annually through 2024, dealing with data really is a massive challenge. Most data governance programs are simply not designed to address the new issues that accompany collaboration tools and cloud-based apps used within the workplace. This was certainly one of many roadblocks our client was dealing with.

Data governance often means different things to different groups and is often not clearly defined across an organization. This was the case within this client organization. Different stakeholders viewed data governance with varying levels of urgency and the objectives and value sought from data varied across the enterprise, which made the task of communicating the business case a challenge. For example, while business users may buy in to the program based on opportunity for more reliable and better-organized data, IT and database administrators will likely be driven by the opportunity to retire redundant and outdated systems and security and legal teams are motivated by improving risk management. The resources and time required to implement these initiatives often falls more heavily on some than others, or in some cases, may overlap or infringe on existing initiatives.

Layer on top of this the overarching goal of securing data through adoption of security practices based on regulatory standards, the adoption of new technologies for protecting data and the importance of relying on individuals with specific expertise and training, the demands of a modern data governance program are far-reaching.

It is not surprising, then, that resource fatigue is another issue we encountered within this project and others like it. Due to the size and scope of most data governance programs, and the need for ongoing involvement of so many stakeholders, many teams become overwhelmed. Teams may uncover new issues or be forced to change timelines in response to unexpected changes in the organization. These challenges must be met without diverting attention from most important goal of any business: continuing to provide the best service to customers. This can be exhausting for the project team and for the organization as a whole. Projects can fail, budgets may be cut, and stakeholders simply give up out of frustration. We had to work diligently to help our key stakeholders within this client to keep project fatigue at bay.

Regulatory requirements—particularly compliance with the Department of Defense’s (DOD’s) Cybersecurity Maturity Model Certification (CMMC)—were significant drivers for this client’s data governance initiative. What were some of the risks and concerns under consideration?

Frazier: For most companies, including this client, data has become the greatest risk and the greatest opportunity. With the growing plethora of standards and regulations surrounding data, corporations are being put under a heavy burden to both understand their obligations and comply with relevant standards, including General Data Protection Regulation, HIPAA, the California Consumer Privacy Act, and the National Institute of Standards and Technology (NIST) framework , as well as contractual obligations such as CMMC.

What we saw with this client was that in order for the client to preserve billions of dollars in government contract revenue, the organization needed to fulfill the new CMMC requirements by identifying controlled unclassified information (CUI) in more than 3,500 applications comprised of approximately 7,000 structured databases and protect the information in methods outlined by the government. The timeline for identification and protection was reduced from 18+ months to less than one year and the privacy concerns had to be mitigated while not interrupting critical business operations.

McNew: More than 26 pieces of legislation that address data privacy and data protection have been introduced or passed by lawmakers in the U.S. We’re already seeing a push among some legislators to introduce a federal bill that emulates GDPR in the U.S. Whether or not a federal data privacy law is ultimately written into law in the U.S., our clients operating here are already dealing with a patchwork of complicated requirements that impact the way they do business.

In the case of this client, CMMC compliance directly implicates revenue. Initially, the client wanted to build a program that would mask or otherwise protect its CUI to meet the new standards. We quickly realized that they also needed to be thinking about what data could be defensibly decommissioned rather than stored and protected at a long-term cost to the client. Why spend money to protect data that nobody is using, or risk legacy systems coming into scope in a regulatory investigation? Working from this mindset, we helped the client take a broader view of its data risk to include the many costs and risks associated with retaining data that is no longer necessary.

In Part 2 of this roundtable, the team will share more about CMMC requirements, the solutions they’ve implemented and the results to date.

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.