Recently, I got to ask a set of vanguard CIOs about data protection as it applies to data security and data privacy. What they said should be heard by anyone concerned about data - especially those that are worried about business risk or consistently delivering business outcomes in the digital era.
Who is responsible?
While CIOs say it is their working assumption that their business leaders want their data flows governed and protected, they say that this is an assumption worthy of business validation. Is your voice being heard here? Regardless, they say that CIOs should be all about data and responsible for data no matter where it resides. Given this, CIOs feel that they need to lead the data security policy discussion. They say as well that this includes introducing risk management to diverse privacy viewpoints.
Who else matters?
CIOs assert that the key stakeholders for governance need to be data owners, data analysts, and data-analytics-based decision-makers. A key person to create and involve in all of this is seen as the data steward. Have you created them? Data stewards are seen by CIOs as having the job of access control definition with assigned access, privilege enablement, and documented approvals. One CIO stressed here that he believes data access an organizational value, rather than a policy. He goes on to say that data access is, in fact, the basis of policy.
Why is protecting data hard?
CIOs tell me that they need to take an ecosystem view today. They say that it is for this reason that security needs to move from perimeters to the point of use to be effective. They say effectively the entire world is your perimeter now. This is in contrast with the 'big iron days' where all data was in one place. In these hybrid cloud/SaaS days, CIOs say the focus needs to shift from the systems to data.
This is seen as much harder but ultimately required. For this reason, CIOs say you better know your data classifications and have solid, automated identity management practices and encryption.
An educational CIO put it this way, 'you know those flight maps in the airline magazines? Those are our data movement maps. We have in our environment, data flying all over the place.'
Today, protecting data needs to be a 360-degree conversation. It needs written policy, user transparency, and data protection. And attention 'needs to be given not to the pieces but to the whole enchilada.' Part of doing this well is data hygiene - data quality, data ownership, data policies, and of course, the parallel of this, data security.
Do you have a role?
CIOs say absolutely. One CIO puts it this way. He says with 500+ application purchases a year, there's a lot of need for data and for data stewards who own 'data maintenance & control methods.' Clearly, security and access are key parts of an overarching data governance approach that needs to be put in place to truly protect your firm’s data assets and reputation from external and internal threats.
You might be asking here, how do I tie this to annual objectives? The answer is that data policies are inherent to business compliance, risk, and security. While the CIO may be responsible for facilitation of those policies—CIOs are clear that data policies must be led by the business. CIOs tell me they worry that many executive teams do not understand the implications of not having policies or of even worse, the need to enforce them. The benefits here are significant, especially when considering the resources spent on storing data without knowing why. CIOs see the need for a workflow that considers the value of data and ensures there isn’t complacency with protecting sensitive data.
What is needed to do this well
CIOs are open that they and their businesses are only at the beginning of the data security conversation. They believe strongly that more investment is required.
What is needed to do this well? CIOs say that with your help they need to protect data where it pools and flows. Today, this includes things like Big Data and Cloud. They believe you need to have the ability to secure and protect data everywhere it flows. But you also need the ability to centrally govern data access and to enforce those policies across every location that data flows, regardless of the nature of the data (structured, semi-structured, and unstructured) or how it is stored, irrespective of whether it is in a traditional database or a big data file system (HDFS). Today, regardless of the state of data, at rest, in use or in motion, data needs to be managed systematically rather than in piece parts.
Learn more about managing enterprise data security
#Governing the enterprise in an era of #data insecurity. What #COBIT5 recommends? http://bit.ly/1u0xCAg
Why are people, processes & technologies essential to #CIO #datasecurity success? http://bit.ly/2cxjZUI
How can #CIOs protect their reputations as well as that of their brands from #databreach? http://on.wsj.com/2diEHXo