The Gap Between M365 Intentions and Reality
This is the fourth in a series of blog posts about the findings in a new MER Merlin report on automated governance in M365. This post will make the case that M365 automated governance and compliance adoption is still in the early stages and that most organizations have not caught up with capabilities of the platform.
Post 1 — The context for M365 automation — A rising tide of chaos.
Downloads of the report are free -- and private -- at THIS LINK. We won’t be handing off the names to anyone. We greatly appreciate the following underwriters, who made it possible to do this; I urge you to check out their offerings.
Download link for the report = https://mailchi.mp/merconference.com/merlin-m365
Active Navigation -- www.activenav.com
Archive360 -- www.archive360.com/
Infocycle -- www.infocycle.com/
Infotechtion -- www.infotechtion.com
Preservica -- https://preservica.com/
Protiviti -- www.Protiviti.com/Microsoft
Quality Associates Inc./DocPoint Solutions -- www.qualityassociatesinc.com
Xillio -- www.xillio.com
[For reference, the indented quotes in this post were made by an expert panel of end users; more detail on that can be found in the report.]
Given the depth and breadth of the governance, compliance and security changes introduced in M365, it is no surprise that organizations using the platform -- especially large ones -- are having a difficult time keeping up. As with any critical enterprise platform, much of what you can accomplish in the near-term depends on your starting point. Buying an M365 license -- whether of the E3 or E5 variety -- is one thing. Keeping it and leveraging it is another. Even understanding the differences between E3 and E5 in the context of governance is a challenge for many organizations.
Looking across the continuum of end users, there are a wide variety of experiences with M365, making general conclusions challenging. Some organizations have already made the decision to standardize upon the E5 platform, and are now focused on adoption and integration issues. Others are still trying to make the decision whether to move from E3 to E5. And still others have not yet deployed M365 in a strategic fashion when it comes to governance, but rather in a piecemeal way to take advantage of individual components like email and the Office and Teams.
Only 21% of organizations report that they have fully optimized the automated governance, compliance, and records management capabilities of M365, and 22% report that they have not even begun.
A huge gap exists in most organizations between the reality of how extensively M365 automated governance has been adopted and perceptions among IT and business staff. This “wishful thinking” gap is fairly common on a variety of governance concerns, but is particularly noteworthy with regards to M365 governance. A key challenge for IG professionals in getting funding for governance projects is to reposition governance -- which is often viewed as a necessary evil among business executives -- as an enabler for the objectives that the business does care about -- security, user productivity, and customer value. Likewise, IG professionals need to help their IT colleagues better understand the unique challenges associated with managing unstructured information -- content -- at large scale.
What role will the M365 governance platform play in your organization?
The history of enterprise content management as a set of capabilities often deployed to solve specific mission-critical, large-scale departmental problems means that most organizations have multiple content management systems in play. Given this, how are they envisioning the role of M365 governance moving forward?
As an out-of-the-box governance solution for M365 content?
As a governance solution ultimately for more than just M365 content?
As a solution that will be complemented by other third party solutions?
As one repository among many that will be governed by something else?
“M365 is our platform. Like it or not, we have fully embraced it and we’re going to be migrating from other content management systems into SharePoint. We've started a multiyear project implementing the information privacy protection module. We have over 20 years’ worth of shared drive data, and we’re in a massive project to clean up there and move everything to SharePoint or Teams.”
“We’re retiring existing content systems other than M365 process by process, but all of them eventually need to go.”
“M365 has emerged as the way we want to govern unstructured information in our organization. Our objective is to push as much as possible from other repositories into a managed M365 environment.”
“Our IT strategy basically drove our approach as to how we would implement M365 and the role it would play. We had thousands of ad hoc systems that we were struggling to maintain. We couldn’t keep them current, and interoperability was a struggle or simply impossible. A decision was made to buy tools out of the box, which meant that we needed to modify our processes and our approach after the fact based on those tools.”
One thing is clear -- all that is manual must be automated in order to truly transform.
Where is M365 automated governance headed?
What kinds of M365 challenges and capabilities are the most experienced organizations (those ranking themselves a “4” or “5” on the optimization scale and representing organizations with 100 or more employees) focused upon? In many ways, this list represents a summary of the decisions that organizations will need to make as they move from M365 license purchase to M365 adoption.
The percentage of organizations with a significant volume of permanent records and retention periods greater than seven years or permanent is striking:
11% = ”up to 20%” of records
32% = “more than 20%” of records
The three most important reasons that people search, discover, or retrieve inactive information and records are (out of seven choices):
60% = Internal audit
51% = Improve decision making
48% = External/regulatory audit
The M365 Governance and Compliance capabilities most likely to be a focus over the next 12-24 months (out of an overall list of 12 possibilities):
35% = Records management
32% = Legal discovery
30% = Retention policies
29% = Business process integration
The primary methods in M365 in use (or will be shortly) that are used for automatically applying labels to content are:
84% = Specific types of sensitive information
59% = Keywords or searchable properties
27% = Trainable classifier match
73% “plan to” or “are considering” using record versioning in M365.
The primary strategy organizations are taking with regards to migration into M365 (only one “best choice” was allowed in this question) varies considerably:
32% = Use Azure auto-classification to categorize files and images and then migrate into M365.
22% = We plan to use M365 to access and utilize OTHER data repositories.
19% = Migrate active data to M365 and everything else to a third party repository.
15% = Lift and shift everything into M365 as quickly as possible.
12% = Eliminate ROT (redundant, obsolete, trivial) content using a third party tool and then migrate.
The following challenges/concerns are MOST important when thinking about the overall role of M365 governance (respondents chose three out of a list of ten):
40% = Keeping up with changing regulatory retention and privacy laws.
38% = Data security.
34% = Scalability issues: search, storage and processing.
33% = Limitation of scope in M365 governance (retention and disposition).
32% = Keeping up with the latest changes in M365.
30% = Managing structured data (vs. documents).
The most important third-party solutions to integrate with your M365 governance strategy are:
31% = Analytics
22% = Existing records management solutions
Download link for the report = https://mailchi.mp/merconference.com/merlin-m365