Overcoming the ‘What If We Need It?’ Mindset: Building a Culture of Defensible Deletion
.jpg)
Overcoming the ‘What If We Need It?’ Mindset: Building a Culture of Defensible Deletion | Data Xposure - Ep 12
Host: Fahad Diwan, Director of Product Marketing, Exterro
Guest: Ryan Zilm, Director of Information Governance & Privacy at H2O America
What’s really driving your data retention decisions: policy, or fear?
In this episode of Exterro's Data Xposure podcast, host Fahad Diwan sits down with Ryan Zilm, Director of Information Governance & Privacy at H2O America and former ARMA International President, to confront one of the most common and dangerous cultural defaults inside large enterprises: “What if we need it?” Ryan shares the story of leading a large-scale ROT (redundant, obsolete, trivial) cleanup campaign and the deeper lesson it revealed: organizations don’t struggle with deletion because of technology they struggle because of mindset. What starts as hesitation quickly compounds into expanded discovery scope, unnecessary legal hold complexity, regulatory exposure, and a broader attack surface for security teams.
Through real-world examples of stakeholder resistance, executive alignment, and hard-earned leadership lessons, Ryan explains how to replace fear-based retention with defensible, policy-driven deletion.
For legal, privacy, and security leaders under pressure to reduce risk without increasing resources, this episode reframes deletion as a strategic control, not a reckless act.
What You’ll Walk Away With:
A clear understanding of how the “What if we need it?” mindset increases litigation, regulatory, and breach exposure.
Practical strategies for shifting organizational culture from data hoarding to defensible deletion.
Because in today’s enterprise, keeping everything isn’t safe, it’s risky.
Subscribe on Your Preferred Podcast Platform
Apple Podcasts | Spotify | YouTube
Episode Transcript
Fahad Diwan: Welcome everyone to Exterro's podcast, Data Xposure, the podcast for data risk leaders. I'm Fahad Diwan and today we're unpacking an important problem plaguing organizations and legal privacy and security professionals everywhere. Many organizations have a "what if we needed it" mindset when it comes to their data. They end up hoarding their data, well, forever, and they accept the risk that comes along with this. But as data and AI agents proliferate, the risk from this data hoarding is becoming too great, changing the risk-reward calculus and tipping it in favor of starting to delete the unnecessary data. So that's what we're going to unpack today: How do we move away from this mindset and start building a culture of defensible deletion?
Joining us today is Ryan Zilm, Director of Information Governance at H2O America, with field-tested lessons you can use right now. He is an award-winning executive leader who brings over 29 years of focused experience in data strategy, risk management, and information governance. He currently leads information compliance strategies ensuring adherence to policy laws on HIPAA and CCPA at H2O of Nargant. He's also the founder and CEO of Zee's Information Lifecycle Management. During his career, including time at USAA, he has driven multi-million dollar cost savings by streamlining operations and launching automated enterprise retention tools. He conceptualized a "content cleanup carnival" that achieved over 55% employee participation, indexed over 550 record cases, and generated almost half a million dollars in cost avoidance. Welcome, Ryan. We're so happy to have you here. How's it going?
Ryan Zilm: Thank you, very happy to be here. What a great introduction as well.
Fahad Diwan: Yeah, well, we've got a great profile. And I think our audience is really going to benefit from the experience and expertise that you bring in. And before we dive in, I just want to say a quick note, the views and opinions expressed by Ryan in this episode are his own and don't reflect the official policies or positions of his current or former organizations. Just got to do that standard disclosure. So Ryan, enough of me monopolizing the conversation. Our listeners want to hear from you. Take us back to the beginning. How did you find your way into information governance?
Ryan Zilm: Yeah, it's been 30 years now this year. So it's just crazy to look back and yeah, I started in information technology back in the nineties and just, I really liked it. It was very factual; it was black and white, you know, the ones and zeros and coding. It was right around 2005 that I had a little change in career and found my way over into information management, records, and information governance. It was a lot of fun for me because I was coming from the IT realm and moving over into the legal space, being able to kind of be the liaison between the tech side and the legal side and kind of bridge that gap.
I very quickly fell in love with the space because, you know, I think what I learned very early on was there is a science to what we do—that black and white, the regulatory compliance—so this is what you must do. But how you sell it and how you bring it to fruition inside of organizations is the art. And that was the fun. And those were the things that I just thought, man, this is really cool, let's see how we can do it. And just, I haven't looked back ever since. I've been fortunate enough to roll out these programs in multiple organizations over the last 30 years and each one of them has been different. I think that's the fun of it is trying to identify where organizations can thrive with these changing rules that we're experiencing and really helping their programs grow. So it's been tremendous and I'm just so appreciative of all the experiences and the exposure that I've had.
Fahad Diwan: That's amazing, Ryan. And I think the industry is appreciative of you two for bringing all of your experience and expertise to this space. I loved your point about how there's a component of science and art here. I think when it comes to creating a retention schedule, that can be very prescriptive; we have specific rules we need to follow that we can iterate upon. But then there's this whole human aspect to it of getting people to work together, and I think that's always more of an art than a science. And so when it comes to this more working with people, changing mindsets, for the legal privacy and security listeners of this episode, how would you say the "what if we needed it" mindset actually increases their risk exposure?
Ryan Zilm: Wow, that's a really loaded question because I think everybody's kind of in this data hoarding mode right now because we see this as "if I don't have it, I'm going to need it". And we've really expanded around—well, let me back that up. Let's say I've seen in cases where having it is not as beneficial as not having it and having defensible deletion in place. Without getting into specifics, sometimes those smoking guns can help us and sometimes they don't as much. So I think when you look at the overall risk of keeping things, it's that safety net, it's that security. And I think also the volume of information makes it really challenging for people to feel like they can let go, especially today.
I mean, I think that my personal records, for example, probably are not managed as well as my organizational records. And I think that's because of volume and not knowing what it is or how we should comply, because I don't have a person in my life other than myself who should be saying, "this is how long you keep your financial records" or "this is how long you keep your other records". Whereas in organizations, we have somebody like a me and others who should know what it is, should understand the risks, should understand what regulatory bodies we have to comply with and put those guardrails in place and those controls.
But I think that the challenge is that mentality of "I am gonna need it". And crossing that barrier of, well, you think you need it, but when it's gone and you don't have it, how easy would it be for you to recreate it if you truly needed it? And getting people over the hump, that's kind of the art that I've found some huge successes with of late and over the last 10 to 15 years. When you make people feel comfortable with understanding what information they do need versus they don't need, it can be a huge win.
Fahad Diwan: It sounds like it can. And I love, love, love your point about how when you speak to people, you ask them, "well, if we got rid of this data and we needed it again, how hard would it be to get this data again"? That's a really insightful question to pose to help people get over the fear of getting rid of data that they might one day need. And so let's dive into specifics because you've worked at so many great organizations and done so many of these programs. Without obviously naming the organization, can you take us back to the moment where you realized a ROT cleanup campaign was necessary at one of the organizations you worked at? What was happening inside the organization? What led to you thinking, hey, we need to stop this data hoarding and start defensively deleting?
Ryan Zilm: Yeah, I think every organization I've been in needed a ROT cleanup strategy, but some of them were more significant than others just because of the level of risk that may be associated. And so when I looked at this and I said, you know, we have these different applications that are not being managed. People don't know how to hit the delete button, so we need to put some automation in place for them. I started thinking about, well, this is the first time they've hit delete ever. For people who've worked in this organization for 15, 20, 30 years, there's this challenge with being able to hit delete.
So educating people on why it's important to do it for that strategy, but also not giving them too much that is overwhelming. Cause if you think about, if I've been in an organization for 30 years and we're going to put a strategy in place that says, "Hey, guess what? Anything over X period of time is just going to be gone because it meets said criteria," then we really have to get them over that hurdle of understanding the why and the what. And every organization has been different.
But what I did very successfully was breaking it down into bite sizes. And so we did this rot tier strategy where we said, listen, let's target these; we'll have a tier one, a tier two, and a tier three. Let's start with the tier three rot. Let's identify that as anything that's, let's say, over 10 years old that meets said criteria like system files and other documents that just haven't been accessed in over 10 years. Let's start with that path. Let's grab it. Let's find it. And then we can do maybe like a quarantine.
Quarantine is a service, if you will, where it goes into this holding queue. People have access to it for, I don't know, say 90 days, and then they can review it and action it. Or if they don't touch it, then it does go away. So that's that first bite, getting them familiar with what the process is and how they can get over that hump. And then after that, that next step in the phase of a ROT strategy would be five years—that tier two. If you're a younger organization, maybe you do five years, two years, and one year. But for this organization, it's going to be 10 years, five years, and two years.
Because when you get them over the 10 year hurdle, then you can get them to the five years, but there's still a little more angst there. You also have to make sure that they can be successful and that there's that automation in place because the more manual that we make things, the less likely we are to get the follow up with those strategies. Calling it like "quarantine as a service"—it is a service we're providing to get rid of the stuff for you, but we do want you to have access to it in case you need it.
Putting that strategy in place was significant. When you think about organizations I've worked in that were in 120 countries with hundreds of thousands of people, the volume of data we're talking about from something as simple as anything that hasn't been accessed over 10 years can be so huge. And then you look at the ROI and the cost savings and storage savings and just that risk overall being reduced; it's pretty incredible to have something like that come to fruition.
Fahad Diwan: Thanks, Ryan. As you were speaking, my mind was just lighting up. One thought that I had was about your quarantine as a service. It reminded me of this advice that one of my friends gave me once. He said, "Fahad, if you ever want to get rid of clothes you don't really wear, but you're still hoarding, at the start of each year, turn the hanger around for all of your clothes in the closet". And then when you do wear that piece of clothing, you turn the hanger the opposite way. At the end of the year, the hangers that are still facing away from you, well, those are clothes that you didn't wear in the past year, and you can get rid of. That was one way that I got over the fear of getting rid of clothes that I may one day need.
And so when you were talking about quarantine as a service, I thought that it was such a genius idea because if we don't go straight to deletion, if we say, "we'll move this information to a quarantine environment, we'll archive it," then you can always get it back if you need it. It might get people over the hump and over that fear of getting rid of some of that unnecessary data. And then after 10 years, if that individual hasn't gone back and retrieved it, then we can safely say, "look, there's no way you need this data, there's no way this organization needs this data, we can now purge this from archive as well".
And so I want to double click on how you get buy-in because data deletion or archiving data touches upon the information governance professional, but also information security, privacy, legal, and data governance. Can you answer two questions for us? One is, can you talk to us about a time when all of these different data stakeholders weren't aligned and how you brought them all together? And as a part of your answer, can you help this often confused terminology and distinguish between information governance and data governance?
Ryan Zilm: Boy, that's a huge can of worms. But let me answer the first question, because it's really important for people to understand that the art has to have heart. And what I mean by that is we're humans; we interact differently with different people and respond differently. And when you have misalignment on your strategy or when you can get rid of data, you have to bring people over the hump. The art part of what I was talking about earlier is really about people. It's about coming to the table with them, understanding where do they hurt when you say, "I'm going to take your data away," and then helping them across that finish line.
I've been in many organizations where people are very reluctant to get rid of things or change in any type of a program. We have to get them comfortable. And I think that's where I've really tried my hardest to build relationships first before I go in and just turn things up and say, "we're going to roll out this new program and your stuff's going to be deleted". I'll give you some examples that are kind of fun. There was one organization that I worked in where we started off with physical files on the shelf and people could walk in and pull files out of the storage room without security. And so we make a change, and that's when they're like, "wait, I can't come in and get my own files"?
And then it went to, "all right, well, now we're going to start helping you out with a content management system where things could be placed there instead of stored on a shared drive". The people we were working with were very challenging, and one of them was an engineer. When I said to my team, "hey, we should really bring this person on board, let's get them in our pilot group," they were like, "but why? This one person is just the worst person". I'm like, "but that's going to be your biggest advocate in the long run". So we brought her on board and she's like, "absolutely, if things are going to change, I want to have a say in it". And she became the biggest advocate for moving things forward because she felt like she was a part of the change and she could get her questions answered upfront. That is how you get that alignment.
Even in smaller places, like out in the field—I've worked in oil and gas for 25 of my 30 years and I would go to towns of 500 or 2,000 people with small offices. I remember one time I was in an office and instead of coming in guns blazing, I was talking to the office assistant. Their printer was broken, and I said, "I'll look at your printer for you, not a problem". I went over there, fixed it, and got the printer working. Those small wins help people to trust you. And when you earn their trust, making those changes and getting that alignment across not just the field level but even at the senior leadership level, that has been by far the most significant thing people need to take to get alignment across the entire organization.
Fahad Diwan: Wow, Ryan, would have never expected that response. But I think when we often talk about getting buy in, people will say, "communicate how your objectives align with their objectives," which has merit. But what I love about your point was you said, put the relationship first, build trust through any means, show that you're there to help even if it arguably has nothing to do with information governance. You establish that rapport and the idea that, "look, I'm here to help, you can trust me, I don't want to make your life more difficult". And so I love that. But I'm not letting you off the hook, Ryan. I think we need to know what is the difference between information governance and data governance?
Ryan Zilm: I will give you my take on it. Everyone kind of has their own take and I do think that it's become challenging as some of the lines have been blurred. When I want to communicate information governance versus data governance, I like to take a look at information governance being kind of that overarching "what information do we have in the organization? How long do we have to keep it? What do we need to do to comply with it?". Just at an information level, which I think is a little bit more official.
But with data governance, I think about things like master data and reference data and the data elements—rows and columns and things of that nature. I think sometimes we get lost in this because data is information, but they are two very distinct disciplines, just like knowledge management would be another one. Sometimes the lines get blurred because organizations for lack of understanding tend to dump them all into one bucket. And we tend to lose sight of how we should be enabling data governance versus information governance and records management. Now, they all do integrate and they partner very well together, but there are distinct differences. I would say if you are unsure, I strongly suggest that you go out there and take a look and understand and then make your own opinion as to what you think the differences are. But it's a great question.
Fahad Diwan: Yeah. And thanks for clarifying. Do you think perhaps the confusion originated from the fact that information governance is an older discipline before we had this boom of data? I mean, from my understanding, organizations have had to manage records since maybe the 70s or even before that. So do you think that has an element there?
Ryan Zilm: I think it does. I think it's evolved. Records management has been around for basically eons, if you will. Data governance is the buzzword that has been the hot topic for the last, let's say, 10 to 20 years. But back in the 90s, we did have data analysts and database persons for each of our applications. I think it's just continued to evolve and the volume of information and the amount of changes in regulatory requirements—around even something as simple as prompts—has changed so much.
I think the discipline itself can be very different than the roles and responsibilities within organizations. If I say "records information governance" to you, you might think that means they're going to be doing records and putting some governance around applications. But in practicality inside of my organization, that may not be what I do at all. I may only do physical records, but the name of the department may be different. There's always this give and take of what an organization needs versus what we call the discipline, and those blurred lines are just there and I think they will always be there.
Fahad Diwan: Right. And as you said, because it's such an evolving space. If I understood your points correctly, there's a context dependency. Each organization has its own context and terminologies. If I understood your distinction, information governance is managing the lifecycle of the information within an organization, and data governance is more specifically about having a centralized source of truth for data and then managing the quality of that data to derive insights. I know it might be a gross oversimplification, but is that like a 90% there?
Ryan Zilm: I like it. I think that was very well summarized. Thank you.
Fahad Diwan: Thanks, Ryan. I want to circle back to a point that you touched upon earlier. I don't want to ignore the very real reasons that organizations are reluctant to delete data—there's the risk of spoilation. Organizations are worried that they might delete data that they need for litigation, and there are a multitude of retention requirements that say organizations have to retain data for a specific number of years, or they could be penalized. But for teams really worried about legal defensibility, how does a continuous and preferably software-automated data disposition actually reduce the risk that comes from data rather than creating the risk?
Ryan Zilm: Great question. It boils down to one word for me, and that's consistency. When you look at the human element of a process or a procedure or deletion, the human element makes it inconsistent. Whereas if you put a technology in place that's going to remove it, even if it does it wrong, it's going to be removing it wrong, we'll say, consistently. And that then helps your defensibility, especially when you go for a case and have to say, "yes, this is what happened, but it did happen consistently".
If we have a human element in place when it comes to deletion, one person will look at a document and go, "no, I need that," and another person who has the exact same document might say, "no, don't need it, delete". Well, why was that decision made? Having a policy and a retention schedule is only half the battle. Communicating to employees about why it's important to remove or keep things—and even the complexities now with like max retention periods—is key. Giving people technologies to manage that, where it is decisioning for you, is really going to help win your cases or reduce your fines.
The consistency in what tech can do for us has increased our percentage of defensible programs because we are removing the human element. And I want to be clear, it's not like we're removing the humans; it's just the decisioning on when to keep information and when not to. That's key for me is I want to be able to say, "yes, we did it consistently because our tech was in place and it was operating efficiently and consistently".
Fahad Diwan: I couldn't agree more. We need the humans to get buy-in and work with the technologies, but technologies will bring in this element of consistency across the board on how long to retain data. Now, at Exterro, our solution can not only precisely identify how long to retain specific data but link it to legal hold and retention requirements, essentially doing all the heavy lifting for employees so they can focus on the softer factors of building buy-in and relationships.
So, I would love for you to boil it down into just a few actionable items that listeners could take in the next 90 days. If listeners could implement one change in the next three months to reduce data hoarding and build a culture of defensible deletion, what should it be?
Ryan Zilm: One thing, my goodness, just one! I mean, I think it goes back to building relationships and understanding what that factor is. Early in my career, I was told, "just go to lunch and just talk to people, build those relationships". I think it would behoove anyone listening to figure out who your biggest naysayers are, take them to a lunch, a coffee, or a virtual, and spend just 15 minutes and ask them, "hey, so I know you have this application or you are struggling with the fact that we're removing your email pretty soon. Walk me through what that looks like for you".
Really listen to where the fear is coming from, because a lot of times it's a fear that data is going to be accidentally deleted. You can walk them through kind of what recovery looks like. Just sitting with them, talking to people, understanding where any fear of change comes from so that you can hit the delete button with them being comfortable. Thinking about things like terminated user data—there are some organizations that don't have processes around users who have been gone for 10 or 30 years—maybe we start there. Why don't we sit down together and let's hit delete on this data, but let's first look at it and make sure there's nothing there that you need?
I like to use those most challenging people; I want that person on my team and in a pilot. I want to make sure that person who is going to give me the most challenging responses is on board and has said every single thing that they can think of. Because if they give me their list of 12 items that they're uncomfortable with, if I can tackle those and make them comfortable, the rest of the organization should be a piece of cake.
Fahad Diwan: Right. And that way your greatest naysayers can become your greatest allies by addressing their concerns and making your process better. Thanks, Ryan. This was an incredible conversation. A lot of what you said deeply resonated with me, especially the point about leading with relationships and using tech to be consistent in these programs. So thanks, everyone, for listening. Thank you, Ryan, again, for the amazing session. This is Data Xposure. Please subscribe and follow so you don't miss the next episode. You'll find us on Apple Podcasts, Spotify, YouTube, and wherever else you get your podcasts. I'm Fahad Diwan. See you next time.
