[Webcast Transcript] Breaking Down Barriers: Leveraging Unified AI and Cross-Functional Data Strategies to Drive Business Results
Editor’s Note: HaystackID® brought together industry experts in a recent webcast to discuss the interplay of artificial intelligence (AI), data management, and cross-functional collaboration in modern organizations. The session, “Breaking Down Barriers: Leveraging Unified AI and Cross-Functional Data Strategies to Drive Business Results,” shed light on how breaking down silos between fields like eDiscovery, cybersecurity, and privacy governance can unlock new efficiencies and insights. Panelists emphasized the importance of proactive data governance, highlighting the value of aligning skill sets and reconciling competing legal and business priorities. The conversation emphasized the critical need for strong data classification and clear use-case planning when deploying AI tools to mitigate risks and enhance organizational strategies. Real-world examples, including the risks of oversharing data with tools like Copilot for Microsoft 365®, illustrated the importance of thoughtful implementation and robust security controls. Read the full transcript to explore how these expert insights can transform your data and AI integration approach.
Expert Panelists
[Webcast Transcript] Breaking Down Barriers: Leveraging Unified AI and Cross-Functional Data Strategies to Drive Business Results
By HaystackID Staff
Industry experts shared their perspectives on the critical intersection of artificial intelligence (AI), data management, and cross-departmental collaboration in addressing modern organizational challenges during HaystackID®’s webcast, “Breaking Down Barriers: Leveraging Unified AI and Cross-Functional Data Strategies to Drive Business Results.” The experts emphasized the importance of breaking down silos between fields like eDiscovery, cybersecurity, and privacy governance to utilize shared data sources better and align skill sets. The presenters highlighted the tension between legal and business needs, advocating for proactive data governance and reconciling conflicting priorities through cross-functional collaboration.
Throughout the presentation, the panelists explored AI’s role in enhancing documents throughout their lifecycle, from creation to litigation. They highlighted the need for collaboration between legal and cybersecurity teams, as insights gained from data classification during litigation can bolster cybersecurity strategies. The presenters also warned of the risks of oversharing data with AI tools, illustrating the importance of clear use-case planning and user education to mitigate exposure risks.
The panelists detailed how poor data hygiene and oversharing can undermine security and compliance efforts, exemplified by incidents where tools like Microsoft Copilot exposed sensitive information. To address these challenges, they proposed a forward-looking approach focusing on strong controls for new data while incrementally addressing legacy data issues. Moderator Nate Latessa said, “Data classification is, to me, the holy grail. If we can classify data, we can better protect information from a cybersecurity standpoint.”
Read the full transcript to dig into strategies for eliminating operational silos and enhancing communication to drive sustained growth and innovation at your firm.
Transcript
Moderator
Hello everyone and welcome to today’s webinar. We have a great session lined up for you today. Before we start, there are just a few general housekeeping points to cover. First and foremost, please use the online question tool to post any questions you have, and we will share them with our speakers. Second, if you experience any technical difficulties today, please use these same question tools, and a member of our admin team will be on hand to support you. And finally, just to note, the session is being recorded, and we’ll share a copy with you via email in the coming days. So, without further ado, I’d like to hand it over to our speakers to get us started.
Nate Latessa
Outstanding. Thank you so much, Linda. Hi, everyone, and welcome to another HaystackID webcast. I’m Nate Latessa, your expert moderator and lead for today’s presentation and discussion, “Breaking Down Barriers: Leveraging AI and Cross-Functional Data Strategies to Drive Business Results.” This webcast is part of HaystackID’s ongoing educational series designed to help you stay ahead of the curve and achieve your cybersecurity information, governance, and eDiscovery objectives. We’re recording today’s webcast for future on-demand viewing, and we’ll make the recording and a complete presentation transcript available on HaystackID’s website. I’m excited to present today alongside Mike McBride and Maureen Holland. And Mike, why don’t we start with you if you want to give us a quick intro on yourself?
Mike McBride
Sure. My name is Mike McBride. I am currently the M365 Modern Workplace Engineer at Bricker Grayden Law Firm. The firm’s based in Columbus and Cincinnati, Ohio, but I’m remote. And then that title is basically a fancy way of saying that everything that has to do with M365 and using teams and AI and all that stuff falls under my purview. I know. So yeah, that’s kind of what I do. My background, though, is in eDiscovery and training and consulting. So, I’ve been around the industry in various ways for 17 years and seen it all.
Nate Latessa
Outstanding. Thanks, Mike. Maureen?
Maureen Holland
Hi everybody. Thanks for joining us today. I’m Maureen Holland. I am currently the manager of Assurance Services and US Privacy at AstraZeneca. I’m in a bit of a unique role. It’s a new role that has exposed me to many different areas, especially around privacy and compliance and a lot of the things we’re going to talk about today. I have a 20-plus-year career in eDiscovery. And I think my favorite part and what I’m looking forward to today is taking those skills that I learned in the eDiscovery industry and applying them to other areas that are not necessarily legal. So it’s very nice to be here today.
Nate Latessa
Thank you, Maureen. And I’m Nate Latessa. I’m the Executive Vice President of Advisory Services at HaystackID. I started my career 22 years ago in eDiscovery, started a couple of different eDiscovery companies, and honestly kind of grew frustrated at the time because I kept seeing a lot of the same issues coming downstream here from poor data hygiene, poor data management that were leading to increasing eDiscovery costs and everything along the way. So I pivoted my career to focus more on information management and ended up starting my own software company. Then went to a couple of other companies after that to help them grow their advisory service practice, really focused on data and information management. So the idea of being able to help companies understand what they have, where it’s at, identify critical sensitive data, classify that so that it impacts everything downstream so that we can strengthen our cybersecurity posture, limit our exposure to privacy compliance, and limit our cost to eDiscovery. So that’s enough about me. Why don’t we just dive right in? And Maureen, I’m just going to come to you first because I feel like every time you and I talk, the very first slide we always talk about, or our first question is, what keeps you up at night? And I think the last time we talked, we probably could have spent an hour just on this one slide. What’s keeping you up at night, Maureen?
Maureen Holland
Considering who our audience is, I don’t know everybody’s background, and that’s what I think is most exciting about this conversation today. There are a lot of things I wouldn’t necessarily say. They keep me up, and it’s the opportunity. And I think as we talk about what’s going on around data within organizations today, I hope people walk away saying, wow, depending on my skill sets, maybe I can do something like this too. And so to kind of put it all together is that whether it’s eDiscovery, whether you’re in cybersecurity, whether you’re in privacy governance, whatever industry you’re in, we’ve worked in silos for so long where everybody was pretty much doing their own thing. And for me, how do we bring this all together? I think collaboration is going to be something that everybody talks about. I’m already starting to hear more about it. But I think the biggest thing that’s a concern to me is how to stay current with my skill sets to be able to adapt and grow in this rapidly changing industry. Data drives everything around the business. And I think as the three of us talk more, we’ve got to start coming together. We got to start breaking down those silos because when you actually talk to stakeholders, and you build these relationships, and even though they’re doing different things with the data, 95% of the time, a lot of the data sources are the same. And so instead of everybody working independently, we need to start bringing these different teams together. So, besides developing my skill set, how can one person make a difference by trying to bring more connections to the people who are working with the data?
Nate Latessa
It’s interesting; one of the conversations I’ve had a lot lately, too, especially when we were talking about the eDiscovery side of the house, and everybody’s trying to figure out how to use AI and how we’re going to apply it. One of the things that I always want to point out is that we can’t think of that document once it gets to the point of litigation. We’re just enhancing it at that point. I mean, you’ve got other conversations going on inside the organization about enhancing that document using AI all the way to the point of creation. And you’ve got information management records managers looking at how to enhance that and add AI to classify those documents, as well as your privacy folks and your cybersecurity folks. So a lot of times, I mean by the time that document gets legal, it may have already gone through some enhancement through some kind of AI process along the way here. It’s not just happening at that point of litigation. Mike, how about you? I mean, again, I know we talked a lot about just what’s keeping everybody up at night. What are your thoughts on this?
Mike McBride
What doesn’t keep me up at night? Honestly, no. I think, to Maureen’s point, I may, at a personal level, think there are things that are very exciting, and I see some of those opportunities on a professional level. I also see them, but I also have to deal with the fact that I work in law; I work in a law firm. Law firms are risk-averse. And so I have to constantly be keeping in mind where the risks are. And so when you look at something like this question, who owns the data? That’s a risk to me, and it opens up a bunch of other questions about, well, whose data we actually have. Do I have client data? Do I have our employee’s data? Do I have customer data? How many different kinds of data do we have? And then how do I make sure that the security is set properly and that we’re doing the things? And I always kind of think back to it for years, and you discover we’ve been trying to get defensible deletion to be a thing. Don’t keep your data forever. And I think AI has sort of opened that up into the, Hey, if you point an AI tool at your entire history of documents, what’s it going to find? Right? And should you still have that stuff? And so those are the questions that I keep coming back to: who will make those decisions? How will we make those decisions to ensure that we are actually using AI on data that we want to be using and not on stuff that shouldn’t be out there?
Nate Latessa
Well, that’s a good point. Go ahead, Maureen.
Maureen Holland
Oh, no, I was going to say, I mean, we could just have one slide of what keeps you up at night because I want to segue off of what Mike was saying, too. And I’m not trying to rock the boat around the eDiscovery industry, but one of my challenges now that I’m not so heavily involved in eDiscovery, right? I’m heavily focused on US privacy. There’s a lot I’m doing in those areas around marketing and all these different groups. As I work, I know what I call, and some people don’t like using non-legal. Still, I have to because of the stakeholders I’m dealing with, and I did kind of a relationship mapping of my legal stakeholders versus my non-legal stakeholders. And eDiscovery is a reactive industry. It’s reacting to litigation. I mean, sure, you can kind of prepare for litigation, but the stakeholders I’m dealing with are so much closer to the source data, and they want more proactive approaches. So right now, what I’m seeing, and to Mike’s point, is there’s this conflict between the business needs and the legal needs. And again, having councils or committees, it has to be a team effort to say who owns this and what we do with it. We have a lot of competing priorities right now.
Nate Latessa
Yeah. Well, I think that goes back to our next slide here. Mike, you touched on this, too; it is just the security side, and the lack of proper data controls keeps you up at night. And I think you and I had a conversation about this when we were preparing for this presentation, talking about how security is really more asset-focused and not necessarily data-focused, the impact of that without proper classification, and how that impacts AI. Can you talk a little bit about that?
Mike McBride
Yeah. So again, being in the M365 world, I virtually attended the Ignite Conference a few weeks ago, and the word oversharing came up almost as often as Copilot. They were mostly connected with each other in conjunction. Microsoft has had a lot of clients go back to them and say, Hey, we’re really concerned about oversharing of data when it comes to using AI. We’re really concerned about just stuff sitting out there. People are not paying that much attention to how they share it. So that really has become a focus for them. I think it’s really become a focus across our industry. It’s the idea that we can’t just share things with everyone. That’s not the way to go about this. You want to be thoughtful about who you’re sharing it with and share the stuff that needs to be shared. 100%. I mean, many of the tools we use today are very collaborative, and we absolutely use them to collaborate, but make sure you’re collaborating with people who need it versus saying, eh, it’s easier if I just make this accessible to everyone in the entire organization.
Nate Latessa
Right? Well, it’s easier, but Well, it’s easier too. If you look at the past, if I had access, say, to, I don’t know, say the finance share or the HR share that I shouldn’t have access to it, I probably would never know that because I’m not going to test those controls. I’m not going to go look for documents that I shouldn’t have access to. But Copilot and ai, they don’t know the difference. They’re going to access and ingest anything that they have access to. So it’s going to return documents, and it’s always going to test those controls and expose some of these things. I mean, is that one of your concerns too, Mike?
Mike McBride
Yeah, absolutely. I mean, the classic example that you mentioned, right? I’ve got a spare SharePoint site that’s open to everybody in the organization. Nobody ever sent me the link, so I don’t know if it’s there. And I run a copilot search that says, Hey, how much do the executives make in this company? And it says, oh, here’s the database.
Nate Latessa
Well, I was just doing a Copilot presentation over the summer, and one of the folks told me that one of their friends who works at a law firm rolled out Copilot broadly to everybody in the firm. And I guess on day one, somebody asked how partner bonuses are calculated. The next thing it produced was an Excel spreadsheet of the partner’s bonuses from the previous year. The next day, they immediately removed Copilot from all those machines because, again, they just didn’t anticipate that issue. But I think that one stat that’s on here is that 16% of all corporate files are overshared. To me, that’s a huge concern. If you think of it in terms of a terabyte, that’s 160 gigs of data for every terabyte that’s overshared within the organization. So, to me, that is just a massive turn. The other one I saw, Verona’s, had a stat; I think of something like the average employee on day one has access to 17 million files. No employee on day one needs access to that many files. But because they’re granted access to, like you said, Mike, the SharePoint or file share, I mean, they just automatically get that. And Maureen, I know you run into some of this stuff, too, and we’ve talked about that. So, I want to give you a chance to chime in here and give your thoughts.
Maureen Holland
Well, I’m just going to say quickly I know we want to keep going with a lot of topics. Still, I hope there’s more conversation around this because one of my frustrations, and I have to give a shout-out to AstraZeneca because they did this generative AI (GenAI) program, which they’re starting to speak publicly about it. What I loved about it is that they gave us a foundation for the technology and the principles; they had 13 strategic thinking principles around AI and GenAI, which is pretty much GenAI. And with all the buzz going around on AI, this and AI that, I’m starting to see it die down a little bit. However, there has to be a distinction between things like Claude or ChatGPT versus Copilot because Copilot is an application that is part of M365, which is the foundation of most of these organizations. And if you don’t have the proper controls in place, and again, I’m not harping on Microsoft because it’s part of who we are and what we do. Still, they’re acting as if everybody uses the same type of security controls and classification-sensitive labels as they do as an organization in all these different companies. The majority of people don’t use them in the same way. So I know they’ve got built-in security features and things that you can do, but a lot of their functionality within Copilot is dependent on it. Mike, please keep me in check here; my expertise is in sensitivity labels, categorization, and classifications. And so I hope people start paying attention because I’m starting to hear more and more people who started doing huge pilot programs of Copilot say they’re either not renewing the licensing or they’re cutting back on the beta testing because of what they found in this area. And I don’t think this area is discussed enough.
Nate Latessa
And Mike, that wasn’t short at all. I want to touch on that because I want to put Mike on the spot here because he has so much experience in this. Mike, if somebody does want to adopt Copilot or they do want to adopt some of these AI tools, what are some of the minimum security requirements or configurations that you would advise them to set up or to configure?
Mike McBride
I think, first and foremost, because a lot of us and Maureen, I don’t want to bash AZ as a large company, but large companies especially, you got to get control of an understanding of who has access to what is the security that’s set up. So before, your example was perfect, right? You gave everybody Copilot and then realized that they had access to the partner compensation information.
Maureen Holland
I have to do a disclaimer. I mean, we do have some pretty amazing controls over the data. And I think that’s the point: you can’t know everything about data, especially in large organizations. However, here’s the same challenge from a regulatory perspective: regardless of the size of your business or from a legal perspective, a small business has the same responsibilities as a large business. You are still held accountable for all these privacy and compliance things that are coming up. Now, you may not be targeted as a small business, but to say you’re not doing something. So it doesn’t matter what size a business is; I think everybody has a responsibility.
Mike McBride
No, it is absolutely. Our firm is much, much, much smaller than AstraZeneca, but we still have the same concerns. We still deal with regulated industries, so we have to handle client data from those industries in a certain way. And we have to sort of understand that security. And I think that is, I know, the next slide, we’re going to talk a little bit about the law firm specifically, but those are the things that before you roll out an AI tool and give it access to your systems, whether it’s Copilot or some other tool, is understanding and saying, okay, well, in the case of Copilot, Microsoft is very adamant that hey, Copilot only has access to whatever the user access to. Do I know what the user has access to, and do they have access to things they shouldn’t have access to? And doing that little, putting those controls in place and doing a little bit of maintenance, and look, when I say a little bit of maintenance, we are talking about month longs projects to get a handle on what’s out there and who has access to it and who needs access to it versus who just has access to it because someone got lazy. In terms of M365, those are the things that I think we should look at: can you map security? Do you have security controls in place? Are you using some of the things like sensitivity labels so that you know where your sensitive data is and you’re taking steps to protect it? And Microsoft was, again, very big on finding ways to keep things out of Copilot responses right here, marked with a label, do this, do that. A lot of different ways to do it now, but you still have to sit and do it. You can’t just turn it on and expect that if a document has personal IP in it, it won’t come back. It won’t come back if you market it as something with PII and take steps to protect that.
Nate Latessa
Well, it’s not only marking that legacy data but also any new documents that are created; we wanted to inherit those sensitivity labels and classification tags so that all that new data doesn’t have to be reclassified. It’s going to inherit whatever classification was used to create it from the document. Mike, what about, one of the things I think that a lot of companies struggle with when we start talking about doing this or getting a handle on your data is that unfortunately, I mean, so many companies just had poor data hygiene over the years, and it just looks like just such a massive hill to climb When you think about the amount of data they have and going back through that to understand what they have and where it’s at, I think one of the things you and I talked about was we’ve got to find a way to just stop the bleeding, right? We’ve got to start from a good point in time and start this process where we get good controls in place, we classify data upfront, and then we start to deal with the legacy data later. Can you just talk a little bit about that?
Mike McBride
Yeah, no, I think that is because, like I said, the idea that I’m going to go back for the last 30 years of documents that we have or however long we have documents, it’s a long time, and just mark them all and actually review them and say, okay, well these documents are, that’s just not going to happen, not in any sort of timely way. We’ll be so far behind the AI trend by then that it’s not even worth doing. So you have to think about how we are going to do this. Are we going to instead of pointing at the entire day, we are going to create smaller language models that are targeted toward specific data and then take other things and just hide them. Just take the turn-off security until we figure out what to do with it and block people from accessing it; kind of do it on a needed basis. There are definitely things I think a lot of people are thinking about with that. This slide right here is also one of the things that’s specific with a law firm with confidentiality in terms of you having to figure out who has access to wealth, but you also have to make sure that your client’s confidential information isn’t leaking. So as a lawyer, I have a lot of information, a lot of access to confidential information from my clients, but if I’m also asking ChatGPT or Copilot or something to kind of, Hey, look at the documents I have access to and see if you can write a blog post about this thing. And it goes in and says, oh, here’s an example of a merger that you might want to include in your blog post. But it’s not actually a public merger. It’s not actually a public record, but it was in your documents. There are also controls you could put around that. And there’s also just sort of educating people, reading what it gives you, and ensuring you are not leaking out data. Make sure it does not find a document you legitimately have access to, but it definitely should not be included in a blog post.
Nate Latessa
Yeah, I mean, would you recommend it? I know there are some pretty good controls within M365 about limiting the data that it has access to. We can segregate or remove entire SharePoint sites. We might want to exclude the HR file share or the finance share and just focus on a specific use case. I think to me, that was one of the things that when I talk to folks about using Copilot, I always ask, what is it you want? Get out of it. What do you want to do? And a lot of times, the answer I get back is, huh, I never thought about that. I just wanted Copilot. But it’s really starting to dig in and understand what their requirements are and what they hope to get out of it, right?
Mike McBride
No, absolutely. And I think that’s one of the things a lot of the AI companies are now talking about: agents and targeting data. Microsoft is rolling out SharePoint agents, so you can have just one SharePoint site and ask questions about it. And the only data it pulls from is the data on that one SharePoint site. I think that is a great opportunity to create AI tools that our team can use just with that data that I don’t have to consider myself with; what is it pulling in from random places that this person has access to because the agent only has this little bit of access?
Nate Latessa
Exactly. Alright, Maureen, this is one you and I talk about a lot, right? That’s the silver lining here. How can we move from risk avoidance to opportunity? We talked about the many opportunities that AI is creating. Do you want to talk about that? I know you deal with many different business units and how they all use data, but I’d love to get your thoughts on the silver lining here.
Maureen Holland
And I think that kind of comes back to. You’ll have to remind me of some specifics because I know we can kind of go off on this, is that it starts, and again, I am going to emphasize it’s the collaboration. I want to give the call out to smaller organizations because, Mike, you just hit on a point, too. It’s what we are trying to do from a bigger picture on a global scale for certain organizations, whether it’s a business operating within the US or it’s a global organization that has different rules and laws and regulations, but the areas of privacy, it, security, cybersecurity, governance. I mean, evenmarketing is starting to come together. And so one of the biggest things about this is that if we want to put it in relation to the EDRM, I’m on a personal mission to get as close to the left side of the EDRM as possible, meaning I am trying to figure out what all these different stakeholders need to do and where this data is located. And for anybody who’s been in the eDiscovery and consulting services type industry for a while, we’re kind of coming full circle and going back to data mapping again. Then, we can build relationships with all these stakeholders, truly understand their needs, and find out where we can integrate the technology. As much as I love M365 and all this stuff with Copilot, we know that’s not the only solution you can have, and it doesn’t necessarily do everything you need to do for certain areas of the business. And so you’ve got to find out just as much as the bells and whistles wow you; you also have to understand the limitations of any product. And so I do really see a more cross-functional collaboration, as well as more integrated technology that’s coming closer to the source data, is going to be where we all have to go because we need to take a proactive approach to all of this versus a reactive one. That’s why, at least at our organization, and just to be clear, I’m speaking from my own personal experience, it’s not anything that AZ is doing or not doing because it is not as closely involved in the security part of it, but if they’re starting to kind of form enterprise governance. And I’ve heard different takes on that, but I think there’s a huge opportunity for our stakeholders to come together and really figure out where they can help each other and the traditional roles of someone who’s focused on privacy or someone who’s focused in IT, or someone who’s focused in eDiscovery, that’s not enough anymore. I think there are new roles being created for people like me to bring these different groups together.
Nate Latessa
Yeah. Well, one of the things I always talk about when we talk is having different departments collaborate; one of the best opportunities inside organizations is legal and cybersecurity. When I look at some of the challenges that cybersecurity faces today, I think one of the stats I use in one of my talks is that 62% of all cybersecurity professionals don’t know where their company’s critical sensitive data is. So these people are tasked with protecting that information, understanding what it is, and ensuring that it doesn’t get out, and 62% of them don’t know where it is. And if you ask those other, probably the other half of that, the other 38%, they’ll probably tell you that critical sensitive data is something they can redex. But when I think of critical sensitive data, it’s all the stuff that gives you a competitive advantage: IP, trade secrets, customer lists, financial data, and stuff like that. In the litigation process, we basically classify data every day. We’re looking for that information. We’re creating issue tags to find that stuff in litigation. And all that stuff is so valuable to the security team, and it never makes it to them. They never talk about that. They never move that information down. I think there’s such a great opportunity to learn from those litigation insights and actually strengthen our cybersecurity posture by using that information. So I didn’t want to go off on a tangent, but that’s one of the things I’ve always, as I said, thought there’s such a great opportunity for across-department collaboration because legal has the insights that cybersecurity is looking for right now to better protect their information.
Maureen Holland
Sorry, before you just sit on a good area, though, because you’ve got all this stuff in a separate technology. So let’s say it’s eDiscovery, your issue coding within litigation review platforms. Well, how do you bring that back to the source systems? Because the only benefit to that data is to get that coding to these documents back to the source data systems, whether it’s M365 or something else we use, whether it’s a records management program or something like that. And that’s a new challenge that I don’t know anybody has the answers to. I can’t tell you how many times I’ve heard classifications used. I use the quotes because there are different types of classifications, whether it’s through the e-discovery process, whether it’s through the RIM process, whether it’s through Microsoft 365; how do you bring all that together so that, again, you can become more proactive than reactive?
Nate Latessa
Do I need to bring it together? I mean, I know where you’re going, and I’m wondering if we could just use it as almost like a data mapping tool because of the litigation process. I will take those issue tags to see if there are potential hotspots of data based on location information. It might be that I have financial data in a SharePoint site that’s kind of buried somewhere in there, or I have certain custodians that have a higher density of really critical data. I almost think you talked about creating data maps. I wonder if that’s a way we can kind of jumpstart that process by using that litigation or using those litigation insights and mapping those issue tags to some type of data map to get a sense of where things are.
Maureen Holland
And that’s the opportunity I see for people who want to look beyond what their traditional role is. If you can use that information, anything you can do to provide more insights to the business is going to be critical because you see these worlds merge where, and again, it goes back to privacy, and I was on a webinar the other day and the people like, well, delete it all. You have to delete all your data. It’s like, well, that’s not really realistic because there’s so much data intelligence and business intelligence within this data. Who is the person who can provide those insights to say what critical knowledge the business needs to understand? Another statistic that I’m learning about is one of the biggest risks to organizations right now is employee conduct or unethical behavior. So there’s a whole business area that really needs some of this attention. How do you bring those worlds together?
Nate Latessa
Yeah, I agree. Mike, I want to give you a chance to chime in on this, too. I know you’ve got some thoughts here as well.
Mike McBride
Your examples of cybersecurity and eDiscovery are really right on because one of the biggest risks that in my years of eDiscovery, one of the things we always worried about was the data. We didn’t know about a backup email server from 2015 that has all of this relevant data, but nobody told us about it, and now we’re going to get sanctioned for not producing it because we didn’t even know it was there. Cybersecurity has got that same risk. We didn’t know how to protect it. We didn’t know it was there. As you said, that percentage is high. And that’s the thing. You could put great controls in place, but if there’s a set of data sitting somewhere that you don’t know about, there’s a network share you’re unaware of that you’re not putting controls in, then it gets breached. That happens. And so that’s why I was like, yep, that that’s exactly the collaboration that should occur, which happens in a lot of cases. It doesn’t always happen, but the collaboration around that network share or that backup email server came from somewhere. Someone knows it’s there. It’s just not anybody on your team who knows it’s there. And so being able to break down those silos too and say, okay, who in the IT team knows about things from 20 years ago that might still be sitting on a network share somewhere? I’ve worked in law firms and been like, Hey, could you go get this data from a case 25 years ago? And I thought, no, we don’t have that, and somebody’s going to come along and say, oh, no, there’s this other network share that I had no idea about. Oh, okay, cool. So yeah, it’s like, how do you keep that historical data and just the historical knowledge of what’s out there and make sure that the teams who need to know about it know about it?
Nate Latessa
And legal seems to be in the best position to take advantage of that. I mean, they’re always interrogating the data. They’re always enhancing data. I mean, I can’t think of another process within the organization with any regularity that’s going through and analyzing data really at that file level. Legal is right? Maureen, am I missing something? Is there any other process in the organization that examines data, like legal does, on a daily basis?
Maureen Holland
No, I’m smiling. This is why I love my job: because I’m getting, again, traditional versus future work roles where RIM, right RIM, is a critical function of any organization of records and information management, just in case. But at the same time, I’m part of this organization that’s talking about, well, what does our future look like? We know what traditional records management works or looks like, but now you’ve got governance becoming the golden child of data governance and all these. And so the worlds of records management and data governance are changing. So whether it’s information governance, data governance, records, or information management, I mean, they have very specific uses, but the conversation is now okay. Well, we were looking at records. Digital information is a little bit more tricky when identifying what an actual record is. And so now you have these worlds coming together. So again, I just love learning. I don’t think anybody has the answers, but there are a lot of conversations going on right now about the traditional versus the future.
Nate Latessa
And by the way, I didn’t mention this earlier. If anybody has any questions, please feel free to put ’em in the chat. And if we have some time at the end here, we’ll try to get to those. We’ve already touched on data strategies, managing risk, and data controls. Mike, again, I know this is kind of the world that you live in here. And again, we talked a little bit about this earlier, but can you just give us a little bit more color on this?
Mike McBride
Yeah, that first question is always interesting because everybody feels like they require it, right? Of course, I need it. Maybe not other people, but I do. And every time you go to ask that question, I am like, I need it. I need it. We need it. Oh yeah, we absolutely need that. Do you need it, or do you need it once a year? What’s the situation here? And so defining that can be difficult. Those are difficult conversations. We talked about this the other day, Nate; those conversations around who really needs access to things, how should it be set up? Those are difficult conversations, but they’re necessary conversations. You have to have an understanding of what people are doing. And again, I work in an IT department now, so I’m looking at things from an IT perspective and a technology perspective, but I have to understand what people are doing. I have to have some grasp of what they’re trying to accomplish. Otherwise, I’m just going to lock everything down and make it easy for myself. The simplest thing to do; nobody has access to anything. You got to come ask me for it, but I don’t want those emails at one in the morning. So that’s not what we want to do. So you have to get a grasp of what people are trying to do and what data helps them do their jobs, and it’s everyone in an organization. We were talking the other day about your marketing department might need information. Maybe there are. I think about the weekly monthly emails we send out to all staff, and here are recent wins. Well, how do you get that information? Who’s giving you the recent wins? Are you having to search for it? And if you can’t search for it if I lock you out of stuff, do you not have that anymore? So it’s really kind of defining things down to what your role is and what information you need to do your role. And as Maureen said, those roles are constantly changing because we will interact with different departments. It’s not going to be; my role can’t be doing this one simple thing because that one simple thing might be automated one day.
Nate Latessa
This goes back to what we talked about before. I think one of the biggest problems is that it is very difficult to do. Without data classification and sensitivity labels, we’re forced to that asset model again, where we’re just oversharing or over-providing access to entire file shares or SharePoint sites because we don’t have granular controls, right?
Mike McBride
Yeah, absolutely. And again, that’s part of that difficult conversation, which is also saying no, sometimes saying, I can’t give you access to this. It’s too much. There’s data in that SharePoint site, in that DMS workspace, wherever it is, there’s data in there that you shouldn’t have access to. And help people understand that we have to limit these things. We have to keep things contained because at the end of the day, if my credentials get stolen, how much damage is that?
Nate Latessa
Right?
Mike McBride
I’ve got to find a way to ensure that you can do your job but that if you get phished, I can still limit the damage.
Nate Latessa
I want to go back to one of the things I mentioned earlier, and the question on this screen here is: what are the critical files versus overshared? This is something I just want to stress: if I go to different departments of the organization and ask them to define what they consider to be critical files, and I go to five departments, I’ll probably get five very different answers. If I go to the cybersecurity people, they’re going to say, no, that’s PI. Okay. And if I go to finance, they’re going to say it’s those financial documents. If I go to research and development, it’s going to be IP and things like that. Everybody has a different definition of this, but we lump ’em all together and just say it’s critical sensitive files. And to me, the PI piece is probably the easy part. That’s usually regex or something that we can identify through a data loss prevention tool or some other tools we have in place. But the IP controls are probably the hardest. Nobody’s ever told the security people, here’s what our IP looks like. And finance has probably never had the conversation with security to say, here’s what our critical sensitive financial documents look like. You need to protect these differently. To me, I feel like that conversation never happens. So, we don’t have a good definition of critical files across all the different departments. And cybersecurity just assumes they know what that is. I mean, do you see that, Mike?
Mike McBride
Yeah, absolutely. Yeah. I mean, definitely in organizations that I’ve worked with when I was doing consulting, you’ve got a lot of different components to that, and Maureen can probably attest to this. The privacy laws in different locations are different, and you must obey them all. So you run into that. But I think in a law firm setting, the other part is also what’s confidential to your client. I was talking about earlier that some things are not going to show up in a RegX scan. They’re not going to show up in using a data loss prevention standard template scan that is absolutely private. So when your client asks you to analyze a potential merger that is private information, then there’s nothing in it that an automated tool is going to say, oh, this is private. It’s just going to be like, that’s a merger analysis, but it’s private. It’s very, very private, incredibly confidential, and it won’t flag that. And do you have to have some sort of functionality that says, Hey, as an end user, when you’re staving this document, we need to give you a tool to flag it and say, this doesn’t get included in AI responses. This is private and needs to be secured from people not working on this matter.
Maureen Holland
I want to bring this back as data strategies. As I listened to the two of you speak, it hit me where my mind goes when I listen to conversations like this, and this is why nobody has all the answers. You’re kind of talking about business as usual, our documents that are created kind of in the course of business, and then stakeholders beyond that. And the biggest data strategy you can have is just bite-sized chunks. Someone said that to me, and I’ve never been able to forget it because you’ve got your organizational data, Microsoft 365, your email, your team’s chats, all these things that, and organizations like ours, we’re generating millions upon millions of data documents. And that’s where our enterprise, IT, comes in. But then you’ve got stakeholders with unique technology solutions and business systems for their own needs. That’s why you have to bring these two worlds together. One of my favorite relationships is with enterprise IT because they’ll tell me their challenges within Microsoft 365. I’m starting to realize that this is a hybrid approach where you have to wrap your head around what you know and then identify the different stakeholders. Mike, you mentioned privacy laws and all these things that we have to comply with regulatory things. If privacy had its way, and again, I’m not picking on anybody in privacy, but there it’s like, don’t keep it, get rid of it all. But then you’ve got someone else like cyber who’s like, well, we need this information because of what we’re doing from an insider threat perspective. And how do you bring those worlds together? The biggest conflicts are happening right now, and I’ve heard it in multiple conversations. You’ve got all these frameworks like the NISTs and all these things that people are like, okay, apply this for an AI perspective. You’ve got a privacy framework. How do you bring all these things together, and who identifies where there’s overlap or conflicts? And that is kind of what I see as something that’s going to impact data strategy overall if teams don’t start coming together to talk about this. Not all data is created equal, but if you don’t understand what data you’re dealing with, then no data strategy is going to be easy.
Nate Latessa
Exactly.
Mike McBride
Nate, in consulting. I know I’ve seen it. I’m sure you’ve seen it, right? Sometimes you just have to have a big meeting. You got to get all those teams in a room and say, what do you need? What do you need? What are your requirements? What laws apply to you? What data do you need? What rules need to be in place to satisfy your need? And that includes it also sitting there and saying, this is how the tool actually works. Because I’ve been in those meetings where people are like, I really need this. And I’m like, well, your tools don’t do that, so let’s talk about what they do.
Maureen Holland
You just hit on a huge passion of mine because everybody has these conversations around what should happen, which frameworks to follow, and what we need to do to be compliant. But nobody’s talking about the limitations or challenges of technology, and then trying to incorporate new technologies is just challenging.
Nate Latessa
Those are the limitations. Well, those are the limitations we’ve seen, too. I always go back to records management, and every company that I talked to has some kind of records management program, but if you ask ’em if it’s operationalized, they’ll laugh. Well, no, of course not. Because the tools don’t exist, it’s not mature. At least before M365, we didn’t have the maturity there. A file share didn’t have the ability to enforce a records management policy. So it just was this document that kind of existed there, but there’s no way to enforce it. Sorry, Mike. I didn’t mean to cut you off.
Mike McBride
No, I was going to say it was very much the same in my discovery days, right? This is what our ESI protocol says. That’s nice, but the tool used to collect won’t do that.
Nate Latessa
Exactly.
Mike McBride
You can’t produce that. You’re not actually collecting it. And I think sort of having those meetings, and again, kind of thinking about this, again, I’ve been sort of on the negative train of risks here, but these meetings are also, that’s your opportunity. That is where you learn about the business, what the business needs are, and how to set up the business for success. That’s your opportunity. Getting those people in the same room, getting those people talking to one another, and then coming to an agreement about how to move forward, I think, is a huge, huge part of being successful in this. And I think back to when I was a consultant when the pandemic hit, and all of our clients rolled out teams because they had to, and most of them rolled it out. They just turned it on; it’s on. And that’s what the IT team did. And having to go back and say, okay, but all you did was tick it on, but you made a whole ton of decisions about data retention and eDiscovery and privacy and security that you don’t even know you made.
Nate Latessa
Right?
Mike McBride
Right. You accepted all the defaults.
Nate Latessa
And that was a good point. And you have, oh, go ahead, Maureen.
Maureen Holland
No, I was just saying quickly that you also have to have decision-makers because you don’t want death by committee. And that’s where I see a lot of, I have conversations with people in other organizations, and that’s where I think the biggest level of frustration right now is people drive things because we have to be compliant or we have to do these certain things. But then, when it comes down to accountability and being able to make decisions, the right people aren’t in the room. And so people get burnt out because how far can you take it if you’re not dealing with people who can make decisions, which is another challenge of bringing everybody together and collaborating.
Nate Latessa
Exactly. Maureen, we touched on this next slide in data mapping a little bit, and this is something that I think we’ve been hearing about data maps forever, right? This is when GDPR and CCPA first hit the scene here. I mean, this is one of the big things. One foundational thing we discussed was that everybody needs a data map. But can you just talk about, again, reiterate how important that is for some of the things that we’re talking about today?
Maureen Holland
Yeah. My biggest takeaway from this is just going back to something I’ve seen throughout my entire career. Decisions are being made without really understanding or getting to the root cause of the stakeholder needs. And so, certain things will be put into place, or certain policies will be implemented and rolled out without really thinking about the end result. We also have to be able to simplify processes and make our stakeholder lives a little easier because if we’re doing all this and we’re causing them to jump through more hoops or have more layers, and I see this all over the place, it’s never going to work. And you’re going to still see silos. And I think the biggest thing that I’ve read about the success of programs is whether or not you break down the silos. And so, as much as everybody wants to do this, if you’re not working together, you’re going to keep those silos in place. And that’s just going to make. I can’t tell you how many times people have asked me where I started. This is where I would start; what do you have? What’s critical to the organization? Where’s the source of the data and all those good things? And then it’s kind of like, oh, well, who all is dependent on this? Because I’ll see somebody solve something without realizing there are five other different business areas that could probably use the same solution, if not a variation of it.
Nate Latessa
And that’s such a great point, and that’s the big takeaway for me. We’re all trying to do the same thing. Mike, do you want to weigh on data mapping?
Mike McBride
I think you nailed it. You talked about getting to know where your data is before. If there’s data out there that you don’t know about, it’s going to cause a problem at some point.
Maureen Holland
And I want to highlight that line at the bottom. Cost considerations with existing versus new. Don’t try to solve for everything. You’re never going to be able to do it. You have to accept or have people make decisions about what’s acceptable risk around what I call legacy data or old data. Again, with turnover in large organizations, you might not have that historical knowledge. So someone has to make the decision on an acceptable level of risk for old stuff, but for new data and things like that, that’s where everybody comes together, like privacy impact assessments, all the risk assessments, getting an understanding when something comes in the door is going to help drive the process through the end.
Nate Latessa
Exactly. So, let’s wrap this up here. What’s coming down the pipeline? Maureen, I want to give you a chance to go first because, again, I know you have a lot of thoughts on this, but I’d love to hear what you think is coming down the pipe.
Maureen Holland
I think I’ve said it a couple of times throughout this presentation. Depending on what an individual wants for their career, I think there’s a ton of opportunity. When we were talking about what keeps me up at night, I mean, I have just an insatiable amount of curiosity, which sometimes can be a detriment to other people. I ask a ton of questions, but I do think traditional roles, as much as we need ’em in all these different areas, we also need future cross-functional roles that, and it’s going to require a new set of skills. I’ve got to do a lot of personal development from communication and how you build relationships. If you can’t build relationships or someone really doesn’t want to be front and center with senior stakeholders, and if you don’t necessarily have a comfort level with executive presence, then you’re probably not going to be in one of these new cross-functional roles because you have to have those skill sets to move forward. But if you’re in a traditional role and you love data and you love technology, bringing the stakeholders together around a single source of technology is a huge opportunity as well. And just to kind of touch on, which I know Mike will be, instead of taking a blanket approach to gen AI or all these things having smaller distinctions, so like ChatGBT or Claude and those types of GenAI versus Copilot, like anything related to Copilot, I would probably treat as its own topic, not try to merge it or tackle things in both types of gen ai. And then Mike, I’ll leave you, but I do think everything’s going to be driven by pilot projects and the fact that Microsoft is allowing people to build smaller models, smaller models, I think are going to be the way of the future for AI versus larger models because you’ll have more control over that.
Mike McBride
I’m going to agree with that. Yeah, I think one of the things that I wanted to mention because I’ve had numerous conversations over the past few weeks with folks who are really good with AI, know a lot about AI, and also work in the legal space. We’ve identified that the legal space is in that sort of trough of disappointment on the AI trend in terms of it’s not as easy as it was promised to be. It’s not necessarily; it sometimes hallucinates, and I’ve seen them; I’ve had AI tools tell me I could do something that it couldn’t actually be done. We’ve seen all of that. And then we’ve also just seen, again, I’m asking it too broad a question, or I’m pointing it at too broad a set of documentation, and I think that there are times where it’s appropriate. I think about something like I try to use AI to get a weekly summary of new M365 news, and I want to point that out to the web. I want to point that to a public large language model and say, Hey, go grab this information for me. Write me a summary of what’s going on with Copilot or M365. It does a great job. But that’s such a broad question that if I was bringing that in-house and saying, okay, again, I’ll go look at our data, including all of my emails about M365, and tell me what’s going on, it’s not going to make sense because it’s too much. But at the same time, having that opportunity, as I said earlier, to have a structured set of data, I’ve defined what data Copilot’s going to use and what documents they’re going to use. When I watched the Microsoft demo, they put all the help desk tickets into a site, then pointed an agent at it and said, here, this is now self-service. Right? You troubleshoot an issue on your computer, ask the AI, and it’s got this entire history of help desk tickets. That makes sense, right? Again, it’s a limited-use model. I can’t use that same agent and that model to do my news summary, but for this one specific thing, it’s going to be super helpful and super useful to do that and pick your HR policies and just be like, Hey, put ’em all in one place. Point an agent at it and say, use this agent when you have a question about these things.
Nate Latessa
Right? Almost like a chat. In talking about those pilots too, I think one of the things I’d encourage everybody that’s listening is to talk to your Microsoft rep too. We’re just talking about M365 on this, but Microsoft has a lot of great programs in place that will fund some of these pilot projects. So they’ve got, it’s called EIF and Customer Investment Funds, where they’ll give you $25, $50,000 to do these POCs where they’ll basically pay to have that because they see there’s an opportunity to sell additional licenses. But there are quite a few programs in place where you can get funding from Microsoft to take advantage of these programs, and I think one thing I want to close on here is when I think about what’s coming down the pipeline, we’ve hit on this so many different places. Data classification is, to me, the holy grail. If we can classify data, we can better protect information from a cybersecurity standpoint. We can limit our privacy exposure, limit our downstream discovery costs, and responsibly deploy AI. And I think looking back, a lot of companies, not many actually do classification or don’t do it well. I don’t think they’ve had the right incentive up until this point. But I think now, with AI, the incentives are there, and I think that companies are realizing that we’ve got to get classification in place, and AI is really going to be the driver behind that. And I think we’re going to start to see more and more companies getting very serious about classifying data and adding sensitivity labels. Maureen or Mike, is there anything else you want? Go ahead, Maureen.
Maureen Holland
I don’t want to lose the risk element because I always get asked. It’s like, well, how do you make sense of all these regulations and laws and privacy, and how do you balance business needs with being compliant or not being compliant? And I mean, the principles of privacy, and I’m not going to focus on all 10 principles. Still, the one that I keep hearing everybody talk about is when things get crazy, and you don’t know which end is up. You’re trying to deal with all that you want to do as a business, what you want to do, implementing technology, and GenAI; transparency is everything. And so I was in another session with someone who I respect, and she said the key to all of this, especially when handling and addressing risk, is to do what you say you’re going to do and then be able to prove it. And Mike just said that, too. It’s like regardless of where you’re using AI, you’re going to have to be able to be transparent about it and explain it. And if you can’t do it, then that means you need to go back and work on your processes. There’s no longer a way for one person to stay on top of this. It takes a team of people. And that’s why I think cross-functional collaboration will be everything.
Nate Latessa
Absolutely.
Mike McBride
More. Yeah, I think Maureen really led to what I was going to talk about. And that is the never-ending struggle of the fact that, some people who are watching this on recording, by the time you watch it, some of this has changed.
Nate Latessa
Exactly.
Mike McBride
Some of this is outdated, right? This stuff is changing all the time. And even just trying to keep track of the technology part of it is a huge challenge for me that I struggle with constantly. Every day. I am like, oh, look, more stuff, new features, more changes, different tools. Cool. Okay. Awesome. And I think staying on top of that really requires dedication. It requires that mindset of, as Maureen said, always be learning. There’s always going to be something new that you can learn. There’s always something new coming down the pipe that you want to understand. Finding good sources of information online, following people who are experts at this, and following people who are experts at this and have very different opinions about where it’s going is very useful. I follow people like Ethan Molik, who’s a professor at Wharton and an AI expert who can test all of these models in the way that only somebody at Wharton could. He’s very positive about where it’s going. He tries to use it for everything and tries to have an impact in every area of his life with AI. I also follow someone like Ed Ziton, who writes, “Where’s Your Ed At?” Newsletter? And Ed is convinced that this is all a bubble. It’s going to blow up and explode in our faces one day. And I try to maintain the possibility that they’re both right in my mind. That will change how we work and possibly be an economic bubble that will blow up in our faces someday.
Nate Latessa
Well, and speaking of experts, I know Maureen, and I followed Mike McBride. I get a lot of great information from you, Mike, and your newsletter, so I appreciate that.
Mike McBride
For anyone who’s interested, it’s on my website—mcbridem365.substack.com. It’s got all the links to stuff there, and I will share the stuff of a lot of the folks that I follow in the newsletter. They are way smarter than I am. I’m just good at gathering information.
Nate Latessa
Well, we are at the top of the hour here, so Maureen and Mike, I want to thank you for joining me on today’s webcast. On behalf of HaystackID, I also want to thank everyone who took time out of their busy schedules to attend today. We truly value your time and appreciate your interest in our educational series. Check out our website, haystackid.com, to learn more about how we can help you overcome your complex data challenges. Once again, thank you for attending today’s webcast, and we hope you all have a great day. Thank you.
Expert Panelists
Mike McBride currently works at Bricker Graydon as an M365 Modern Workplace Engineer, which is just a fancy way of saying he spends all of his time in the M365 platform assisting the firm with utilizing all of the tools and features of the platform, including testing Copilot. He has worked in the legal industry for over 17 years, starting in tech support, moving to eDiscovery, as an eDiscovery software trainer, and also as a consultant focused exclusively on Teams and M365 eDiscovery when the pandemic hit in 2020 and everyone moved to using Teams and similar technology. Mike is also a blogger and writer; you can learn more at mikemcbrideonline.com and find his newsletter covering M365 and eDiscovery at mcbridem365.substack.com.
Maureen Holland is a dynamic leader and critical thinker with a proven ability to simplify complex business processes in privacy, compliance, governance, security, eDiscovery, and AI. Passionate about enhancing stakeholder experiences through advanced technologies, collaborative leadership, responsive consultation, and cost-effective workflows, Maureen is committed to driving measurable improvements, reducing costs, and advancing enterprise-level success.
Nate Latessa is the Executive Vice President of Advisory Services at HaystackID. With over two decades of experience, he is a prominent figure in information governance and eDiscovery. Latessa has been instrumental in devising strategies for effective eDiscovery and information management, aiding corporations and law firms in handling electronic evidence.
About HaystackID®
HaystackID solves complex data challenges related to legal, compliance, regulatory, and cyber events. Core offerings include Global Advisory, Data Discovery Intelligence, HaystackID Core® Platform, and AI-enhanced Global Managed Review powered by its proprietary platform, ReviewRight®. Repeatedly recognized as one of the world’s most trusted legal industry providers by prestigious publishers such as Chambers, Gartner, IDC, and Legaltech News, HaystackID implements innovative cyber discovery, enterprise solutions, and legal and compliance offerings to leading companies and legal practices around the world. HaystackID offers highly curated and customized offerings while prioritizing security, privacy, and integrity. For more information about how HaystackID can help solve unique legal enterprise needs, please visit HaystackID.com.
Assisted by GAI and LLM technologies.
Source: HaystackID