Chief Data Officers, as I indicated in The CDO toolkit essentials, need to be focused upon what Tom Davenport labels data defense and data offense. Defense is seen by Davenport as including: data integrity, data quality, data governance, data security, data privacy, and regulatory compliance. For many CDOs, the focus is by necessity is upon the first three but the latter three matter too because of the business impact of not meeting them. For this reason, CDOs have a vital role to play in defensive data protection.
Where does data protection matter most?
Organizations facing increased regulatory pressure from within their industries as well as new government mandates, have a clear need for data protection. Given that volumes, varieties, and velocities of data are increasing exponentially, CDOs certainly have their work cut out for them!
A key element of this is the fact that in most organizations, CDOs are responsible for their company’s governance and stewardship of data. CDOs with data stewards are the best people to create the data controls needed to ensure sensitive data is protected from external threats and inappropriate internal access.
At the same time as preventing inappropriate access, CDOs need to enable data to be used for legitimate business purposes. This includes allowing appropriate access by data scientists, account managers, and customer support personnel. For example, data scientists need real-time access to information without people or processes getting in their way – they openly want raw data without waiting for governance. While data scientists are under growing pressure to quickly deliver insights for competitive business advantage, recent high-profile hacks have proved that disregarding data governance and protection does not work when it comes to consumers’ sensitive information. Big data, for example, has become a big target for cyber criminals as well as businesses seeking to monetize it.
Good reasons for CDOs owning data defense and offense
The CDO owns data defense and offense for good reasons – they are best placed to balance corporate data protection and privacy goals with the need to respond quickly to digital disruption. Additionally, it is mission critical that organizations respond to increasing regulatory pressure from government mandates like GDPR, PCI, U.S. Patriot Act, the U.S. Affordable Care Act, FISMA, HIPAA, SOX, Basel II, PSD2 in Europe and the UK’s Investigatory Powers Bill, all of which require stricter enforcement and governance.
What is holding CDOs back in protecting data?
To prevent the release of sensitive data, CDOs need to facilitate the establishment of policies and capabilities to protect data systematically. Clearly, the mandate to protect enterprise data is rarely just in the hands the CDO.
CDOs need to help overcome the disconnect that often exists between the Chief Information Security Officers (CISOs) who may own the technology for protecting data, and the business community who drive the requirements for data-driven services. In this scenario, it fits within the CDO’s responsibilities of data management and governance to retain jurisdiction over what information is protected while working with CISOs to ensure that data security does not compromise the business results they are trying to achieve through business analytics.
One CDO said to me recently, “Prior to the CDO function, the CISO was alone. They had to lock down all data. Now technology and the business are becoming more connected and integrated, it is a natural opportunity for CDOs and CISOs to collaborate, work together and tap into the business community for improved data governance.”
CDOs are well positioned here because they typically view things systematically and for this reason, look at privacy and security holistically. ‘Privacy by Design’, defined by Ann Cavoukian, Executive Director of the Privacy and Big Data Institute, is a great approach for CDOs to drive through their organizations. In fact, evolving data protection regulations, including GDPR, mandate the need to protect personal data ‘by design and by default’.
Can’t I just put a wall between me and the bad guys?
Privacy by Design matters because data protection is not just about attempting to keep bad people out. This thinking is driving the shift from only protecting the perimeter, to protecting the data itself. For most organizations, data freely moves between applications – think about how many applications share the concept of a customer. Platform by platform or application by application security alone is no longer effective. CDOs can play a big role in shifting focus from protecting systems to protecting data itself.
Isn’t encryption all that I need?
The simple answer is no. Alone, encryption or coarse-grained data protection provides ‘all or nothing’ access to the entire database and negatively impacts system performance. This does not fit with the notion of good data governance.
Most organizations need to protect data internally and externally and to provided differentiated rights to access data. Using encryption to provide only coarse-grained protection adds little value from a risk mitigation perspective. Good data protection and governance need to provide much more granular access control that does not slow down the usability of data.
Organizations need to be able to use data to gain the insights needed for business innovation and advancements. This goal should not be stymied by data integration or meeting regulatory compliance requirements involving customers’ data privacy rights.
Isn’t there a better way?
A better way involves intelligent, dynamic data-centric and person-centric protection. What’s needed is an approach that involves building data protection cross-silo and cross-application. No one person should have complete access to all data. Making this work requires centralized governance and data deidentification to protect data subjects, such that additional information would be required for re-identification of individuals.
With centralized governance and data deidentification, protection can be applied wherever the data goes. The power of this approach can be understood by considering a health care example: I may want my doctor to see my entire medical record but not my financial records as well, or I may want a researcher studying how to derive better care to see my entire medical record but without them knowing it is mine.
As we have shared, effective CDOs manage defense and offense. Defense is more than fixing data quality, it includes data privacy, security, and compliance, all built upon a data protection foundation.Please let me know what you think – who owns the data defense and offense in your organization?