Category: CDO

CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

James Howard

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.

 

CDO, CPO, Information Management and Governance, Information protection, Privacy

Role of a CDO Supporting Boards of Directors

James Howard

Executive Summary:

Companies are increasingly looking to leverage data as a new revenue stream or a way to increase efficiency.  However, risks related to data breach continue to figure prominently on Board agendas. A Chief Data Officer acting as an advisor can help Boards and Executive Leadership understand the risks and opportunities around data, which in turn, helps Boards fulfill their responsibilities to the organizations they oversee.

Introduction

Boards of Directors have an important and challenging role.  Among other duties, they are responsible to stakeholders for the performance of the organization they oversee.  This includes not only helping to enable business directions and objectives, but also ensuring Management properly identifies, manages and mitigates risks.

Two areas stand out among the ways that information and data figure prominently:  First, business opportunities created by rapid developments in data science and related computing platforms, and second, risks relating to data breach and loss, often under the heading “Cyber risks”.

Business opportunities

Business opportunities tied to information are becoming more important to companies.  Specifically, the significant increase in the role information re-use, leverage and monetization plays in many companies’ strategic plans, increasingly tied to AI and Digital Strategy.  These are outlined in terms of leveraging data science and the abundant range of available data to:

  • Create net-new products and services, including monetizing data, or
  • Enhance and augment existing products and services, or
  • Enrich management information to drive efficiencies.

These initiatives are not trivial, and the potential benefits are huge, whether as new revenue streams, or optimizing operations; many organizations view leveraging information at the strategic level as critical to their continued success – a matter of survival.  Paraphrasing George Orwell, “whoever controls the data, controls the future.”

And momentum is building at a remarkable rate, both in terms of the volume and breadth of usable data, as well as the sophistication of the tools designed to analyze and leverage data.  

Information risks and obligations

Information-related risk presented to Boards and senior executive leadership are often grouped together under the broader topic of Cyber.  These are generally risks related to breach of systems, theft or unauthorized disclosure of data, intrusions, threats to the integrity of systems and data, and the risk of system outages and disaster recovery.  Many recent incidents are where data is exposed on the internet and where the company realistically has no idea whether an actual loss has occurred.

A second category of information risk is also rapidly emerging with increasing consequence, and that relates to compliance with privacy-related information handling obligations and regulations.  These include, for example, the recently enacted EU GDPR (affecting the handling of personal information belonging to EU citizens), HIPAA/HITECH (affecting the handling of health information), and California’s CCPA (affecting the handling of personal information belonging to residents of California).  

Beyond the regulations, there are increasingly explicit requirements for handling data belonging to other stakeholders, spelled out in contracts or other “data use agreements”.  

Consequences for violating information-handling obligations include,

  • Financial: lost productivity, loss of customers, loss of competitive positioning, etc.,
  • Regulatory: fines or other measures imposed by regulators, if the company was at fault.  In the case of GDPR, fines can be as much as 4% of revenue.
  • Brand: loss of customer trust and confidence in the company’s ability to deliver, or to protect information entrusted to them.

Key questions

When evaluating company’s use of data, Board members and executive leadership should ask themselves certain key questions around how data is being leveraged and managed.  These include:

  • What approach is the company taking to leverage data?  What is the vision? The strategy? Is governance a component of the strategy?  Many companies are racing to implement data leverage plans, and in their haste to make headway, many have been hiring data scientists in leadership roles to drive tactical plans ahead.  As a result, governance is often overlooked. However, without proper governance, it will be hard to create a credible strategy reflecting the needs of the business, as well as identify all the opportunities, priorities, costs and risks.
  • Is the data leverage team (“data scientists”) following elements of the Scientific Method?  Many people calling themselves Data Scientists are proposing initiatives where they requisition increasing volumes of data so they can see what opportunities they can come up with.  By itself, this approach introduces risk, since the company may not have a clear idea what they are getting for their investment in big data. By analogy, pharmaceutical companies wouldn’t fund researchers to “play” in the lab letting them see what new drugs they can invent.  Companies pursuing plans to leverage data should do so following some formal methodology which includes articulating and testing hypotheses.
  • Has a data inventory been performed?  What obligations are tied to the data?  Most companies have sizeable volumes of data on hand, and many are asking how they can monetize and leverage the data.  An inventory is critical if the company is going to leverage or monetize data, and knowing obligations is key to understanding what you can do with data and structuring protections.
  • What is the most valuable data and where is it?  Most data classification schemes are very basic — only 2 or 3 classifications.  While these are simpler to implement for security purposes, they aren’t useful for determining relative value of data or what data is key, and can interfere with otherwise appropriate use and access.
  • Who has access to data, and is that access appropriate?  Without proper data governance, you can’t reliably know whether access to data is appropriate.  Being able to answer this question is required under certain privacy and banking regulations.
  • Is it available to the people who need it, and are safeguards appropriate?  Leveraging data requires that the right people can gain access to the data.  But even while its being processed, certain safeguards still need to be in place, and these may be different than for data “at rest”.
  • Have risks to information been assessed along IT and non-IT lines?  Risks should be assessed based on the business processes that manipulate data — not just IT repositories holding data, or applications touching data.  People are the biggest cause of data incidents, and are responsible — in some way — for most “insider threat” incidents.
  • If information were lost, stolen or exposed, how would you know?  Most companies invest in preventing theft or misuse of data, but its extraordinarily difficult to know when data has actually been breached.  Most of the time, companies find out when an outside agency — such as law enforcement, the press, or a “hacktivist” group tells them. Proper data governance and inventory can help reduce the risk of data loss, and allow the company to focus protection efforts on more important data assets.

Step back

Many enterprise risks concerning data elevated to the Board focus on the technology aspects of the risks.  This is often because that is how the company is organized — anything loosely connected to “data” is directed to the CIO and CISO.  Digging into the risks, however, often reveals that the underlying concern is data: it’s use and the consequence of an incident. Taking a step back, if the concern is data, it may be helpful to separate the data from the IT platform it sits on, and from there, zero-in on the issues – both opportunities and risks.

The role of CDO

Increasingly, companies are appointing CDO’s — Chief Data Officer — tasked with implementing governance over the data initiatives, and aligning activity to execute data strategy.   The responsibilities of the CDO vary across organizations, but in general, they should be looked to by the Boards to help understand and navigate data-related matters.

A good CDO focuses on all aspects data – opportunity, risks and obligations.  They are conversant on the technology tools that process, store and transmit data, and can help the Board members understand the topic with clarity so they can engage with executive leadership.  Board members should consider seeking support and advice from experienced CDOs to help them navigate data-related matters in the organizations they oversee.

Conclusion

Data has always been critical to organizations.  In recent years, its increasingly being recognized and treated as an asset that can be leveraged to provide added benefit to organizations, whether through increased revenue or operational efficiencies, and that benefit is tied to the rapidly evolving field of data science as well as the incredible growth in available data.  With the increased prominence of data at the strategic level, Boards of Directors and Senior Executive Leadership are expected to understand and provide direction around the use of data and management of related risks. CDO’s can serve as a valuable resource to help Boards in fulfilling their responsibilities.  

Contact me at james@jhoward.us

CDO, Information Management and Governance

CDO: Leveraging AND Protecting Data

James Howard

A lot is written about the important role the CDO has in promoting, monetizing and leveraging data in an organization. There is no doubt this is their primary function, and failing to fulfill the role can cost the organization in terms of revenue, competitiveness and market position. But the CDO has an equally important role in overseeing governance of data, and failing to embrace that part can lead to similarly negative outcomes.

I’m going to make a provocative statement: the data leverage market is charging ahead and the data governance disciplines are not keeping up. We will continue to see headlines describing data-related issues. Like opposite ends of a rubber band being pulled tighter and tighter, we are facing an increasing risk of a significant, potentially catastrophic, event. The risks aren’t only that data might lost or breached, but also that the organization might fail to gain full benefit from their data. The CDO plays a key role in managing the risk, avoiding issues, which in turn positions the organization to move faster and more nimbly.

Lets talk about the data:

A majority of companies are leveraging Big Data, with Financial Services and Healthcare leading the charge, and nearly 80% of executives believe that failing to embrace Big Data will cause companies to lose their competitive edge. Use cases range from customer and clickstream analysis, to fraud detection and predictive maintenance. The statistics go on and on, all pointing to an accelerating pace of growth and adoption.

  • Tools are becoming more sophisticated, and evolving to where increasingly, end-users can can pursue data tasks without involvement of IT staff. The analytics software and services market is $42B this year, expected to grow to $103B over the next 9 years.
  • And 59% of executives believe that their use of Big Data would be improved through the use of AI – often itself dependent upon the quality of data.
  • How much data? One estimate puts at 44 zettabytes by 2020 (44 TRILLION gigabytes)!

Point being, we are continuing the trajectory of very high growth in the use of data, and no end in sight as far as how much data there is to manipulate and leverage.

OK. So how is it being managed?

Increasingly, where in place, responsibility to establishing the vision and executing the strategy for data use falls to the Chief Data Officer. However, less that 20% of the top 2,500 companies have named CDOs, and they are often focused on the market-facing and revenue aspects of data. But even for those CDO’s whose responsibilities include governance (covering data protection and quality), there are no standard frameworks to employ to manage data.

By framework, I mean the mechanisms to manage data through it’s lifecycle the way one would manage any other asset. Gartner observes that while the traditional business disciplines provide some analogs to manage information as an asset, nothing has emerged tailored to information, let alone adopted as a standard. In fact, accounting standards don’t even include “information” on financial statements.

Within any governance framework should be Protection against reasonably foreseeable threats. There should be a model where protection of data is proportional to data (asset) value, relevant risks and threats, and which takes into account compliance obligations. To be sure, there are many sets of obligations, supporting methodologies with varying levels of adoption and maturity to address data protection along verticals (e.g., GDPR, HIPAA/HITECH, etc), and respectable frameworks to help ensure information security (ISO27001, for example). But these are rarely within the responsibility scope of the CDO. The CDO has to navigate different organizations to engage with one or more CIOs, CISOs and/or CPOs to help implement protections — and those other leaders’ priorities are often on other imperatives, and politics frequently interfere. So it’s difficult to see how an organization can simultaneously position itself to leverage data as a key asset, while also ensuring proper and proportional protection.

Stepping back looking at the bigger picture, I’m describing a market environment where opportunities for leveraging and profiting from data are exploding, while the mechanisms to manage and protect that data are lagging.

What can go wrong?

This pattern points to scenarios where data is breached, questionable data becomes over relied-upon, or where momentum builds to leverage and profit from data, but due to the lack of proportional governance, an event occurs (or worse, issues go undetected until outsiders raise the alarm) resulting in a loss or process failure, leading to financial and/or brand damage and regulatory intervention. A quick review of headlines reminds us this happens on an all too regular basis, leading to the inevitable questions such as, “how could this have happened?” or “you should have seen that coming”.

Is it avoidable? 

Black swan events are – by definition – unanticipated.  However, organizations can take significant steps to anticipate and either avoid or plan for these events, and prepare for potential outcomes by embracing information management and governance techniques. Remember, a data event – whether a breach or a perceived abuse of data – affects not only the organization in question, but also those around it, emanating outwards.

Data leverage and data management can be thought of as opposing forces pulling opposite ends of a rubber band — they will reach a breaking point, and the tension needs to be released in a controlled fashion. The CDO plays a key role, since they should be looking at the “big picture” of “big data”.

  • The CDO needs to be empowered and adopt a posture that balances pursuit of opportunity with proper governance – protection, quality, accuracy.
  • The CDO should be prominent in an organization, to begin addressing the many cultural barriers to information management.
  • The market needs to settle on a framework to manage information as an asset, recognizing it has value and utility to be exploited.

We are living in a world where data is everywhere and the ability to manipulate it for benefit is growing at an incredible pace. Market disruptions are occurring on a daily basis, often enabled by creative use of technologies that analyze data. Forward looking companies wanting to play in this space are looking to CDOs to help, and they need to be properly enabled. Now is the time to engage.