Heidi Maher had a unique childhood, growing up in Iran, where her mother worked as a nurse volunteer for the U.N. When the political environment changed for the worse after the 1979 Iranian revolution, her family immigrated to the United States. During that process her family lost their life savings, so she became determined to become an attorney and fight for justice. Before entering the tech industry, Heidi was a felony prosecutor, civil litigator, an assistant state attorney general, and the public information officer for a large environmental agency. She is licensed to practice law in Texas and is admitted to the Fifth Circuit Court of Appeals.
Ms. Maher then entered the tech industry, and was involved in strategy, marketing and consulting at various technology companies. She is an attorney and IG specialist who has helped hundreds of organizations move from theory to practice both from within the industry and as an external advisor. In 2015, she was named Executive Director of the Compliance, Governance, & Oversight Council (CGOC). The CGOC has published IG benchmarking studies and a thorough IG Process Maturity Model (IGPMM), which was updated in 2017 to include a greater emphasis on privacy and security. We wanted to learn more about her vision for the CGOC, and approach to IG, so we caught up with Heidi near her home in Austin, Texas.
What got you interested in compliance?
After a short stint abroad, I returned to work as a litigator at a law firm and the Texas Attorney General’s office. Because of my background, eDiscovery was a logical area of focus, so I moved to a company that provided litigation support. However, it was frustrating to see all the problems that occurred because customers were ignoring Information Governance (IG), the first stage of the E-Discovery Reference Model (EDRM). I spent the next few years at a large technology company as a subject-matter expert helping customers manage and dispose of their enterprise data to reduce the downstream cost and risk associated with eDiscovery. This was the time when information entering organizations was increasing at an exponential rate and companies across the country were frantically trying to comply with rapidly developing rules and regulations. Organizations like the Sedona Conference, EDRM.net and the CGOC sprang from the need to provide some best practices to guide organizations through that difficult time.
How did you get involved with the Compliance, Governance and Oversight Council?
I had been aware of the CGOC for a number of years before my company partnered with PSS Atlas and its CEO, Deidre Paknad. She started the CGOC in 2004 to create a forum where practitioners could share ideas and best practices within working groups and at regional meetings. Later, I became a fan and user of the CGOC Maturity Model, one of the most widely used tools in the industry for documenting the process capabilities and maturity of an organization’s information governance program. In 2015, due to recommendations from past colleagues James Schellhase and Jake Frazier, I was brought in to lead the organization as its Executive Director.
What priorities did you set for the organization when you became Executive Director?
The value of the CGOC rests within the 3,800+ members. Whether they are highly experienced practitioners or just getting started, their shared insights and diverse industry perspectives create a knowledge base that we can use to solve complicated legal, IT and business challenges. I wanted to do a better job of harnessing that by growing membership and participation. Whether speaking at events, writing articles or contributing to whitepapers or industry tools, their collective knowledge and experience create insights and guidance for the rest of the industry.
Increasing the number of events was another priority. In this increasingly digital and virtual world, in-person events become even more unique and important in bringing together thought leaders and practitioners. Although there are many stakeholder-specific conferences, CGOC events are unique in that legal, records, compliance, privacy/security and IT professionals all come together in a cross-functional way to share insights and brainstorm solutions to common business problems. Since many organizations are siloed and cross-functional, analysis of common challenges can be difficult to arrange and attain. CGOC events create an atmosphere where those discussions are facilitated and best practices are learned from peers at similar organizations that have tackled the same issues.
“CGOC EVENTS ARE UNIQUE IN THAT LEGAL, RECORDS, COMPLIANCE, PRIVACY/SECURITY AND IT PROFESSIONALS ALL COME TOGETHER IN A CROSS-FUNCTIONAL WAY TO SHARE INSIGHTS AND BRAINSTORM SOLUTIONS TO COMMON BUSINESS PROBLEMS.”
However, discussions alone are not enough. My next priority was the IG Process Maturity Model (IGPMM). The cornerstone of the CGOC philosophy is how to move from the discussion of challenges and planning of solutions to practical implementation. As such, it became necessary to update IGPMM, to revise some old processes and add new ones to guide practitioners through the advancements in IG. So, we updated the Model to include new processes such as Cloud Computing, Data Quality, and Data Lineage. We also updated the Privacy and Data Protection Obligations section to reflect evolving data privacy concerns, including the impact of the European Union General Data Protection Regulation (GDPR) and added three additional processes relating to data security best practices: External Intrusion, Accidental Data Leakage and Insider Theft of Data.
My final priority was to increase the focus on privacy. Being involved in the privacy field since 2006, it was obvious that it was going to be an increasingly complicated hurdle for all organizations. That’s why the CGOC was providing leadership and guidance around privacy compliance long before the GDPR was implemented.
What are the benefits of using the CGOC IG Process Maturity Model for assessments?
The CGOC IGPMM is designed to take a novice stakeholder from 0 to 60 by suggesting cost levers to create a business case, guiding the documentation of organizational risk on a heat map and scoring your organization on each of the 22 processes through the 4 levels of maturity.
What role does Infonomics play in Information Governance?
Infonomics plays a huge part in IG. Companies are coming to realize that their data is perhaps their biggest asset. That’s why, I believe, there are Fortune 500 companies that do a poor job of deleting their unnecessary data. They are afraid they might accidently remove data that still has intrinsic value. However, they should realize that a lot of worthless ROT exists, and because data is so valuable it must be managed as such, and that’s where IG comes in.
What advice do you have for others trying to implement IG programs?
Simple. Just start. As a wise person once said, “Don’t let perfection be the enemy of good.” Break up the project into small steps and then… take them.
What special skill or hobby do you have that might surprise your colleagues?
Since I no longer work in the DA’s office, I compensate by reading and listening to true crime books and podcasts. Also, though not skill or hobby, I think my colleagues would be surprised to learn that I can get rambunctious during basketball games.
What do you like most about Austin?
Even though this city has grown by leaps and bounds, the character of the people has stayed the same. People respect you for who you are, not what you have or what you do. For such a large and dynamic city, it maintains that small town vibe. The only downside to the city is the brutally hot summers.
What is your favorite lunch or brunch place in Austin, and why?
Thai Kitchen is my go-to lunch place. It’s a little hole-in the-wall restaurant near the UT campus, and it has the best hot pot seafood and lemongrass soup. Also, you can’t go wrong with anywhere that serves Tex-Mex!