Tag: CDO

CDO, Information Management and Governance

When do data-dependent startups need a Chief Data Officer?

James Howard

More and more startup companies are exploiting business opportunities tied to data.  Whether developing data-dependent AI, re-imagining how to conduct familiar business processes in innovative ways, or intelligently designing and building datasets drawing from a growing variety of sources.  The common theme for this class of business is the reliance on, and exploitation of, data.

In the earliest stages, startups are focusing their energy and time on creating their product or service.  As they begin to mature, they naturally start to move toward a state where they are returning value to their stakeholders – profits.  Perhaps they plan an IPO or to be sold to an investor, or some other larger entity.

This paper explores options and approaches that companies could consider to determine if and when they should appoint a Chief Data Officer (CDO), as well as their scope of responsibilities.

What kind of startups should prioritize appointment of a CDO?

At some point in their lifecycle, any company that is dependent on data will need to implement data management processes.  These include processes to acquire, ingest, catalog, track and at some point, dispose of data. If the data is licensed or belongs to others, they will need to understand and comply with applicable obligations.  They will need to create a data architecture, build repositories and apply appropriate controls to protect the data.

This description admittedly covers a lot of scope.  So the following adds a little structure to the thought process:

Does the startup…

  1. Handle large volumes of data?
  2. Have data as core to it’s business, where completeness, accuracy and currency are critical?
  3. Have products and services that are dependent of data, but are themselves not data products?  (e.g., a website or app with data in the back-end vs. a licensed database)
  4. Need data that is licensed or procured from others?  
  5. Use personal data (PII) or health data (PHI)?
  6. Need to demonstrate data lineage or provenance?
  7. Create new data, which has intrinsic value?
  8. Live with the risk that a data incident could cause irreparable harm?

If the answer to many of these are Yes, then the company should consider appointing a CDO.  Moreover, if the company wants to go public or be bought by another company – especially a public company where the transaction is material, the startup may be expected to demonstrate discipline around the treatment and protection of data, including documented policies and procedures.  While a CDO isn’t necessary to do this, a CDO can design and implement practices and disciplines that will provide comfort in a due diligence setting, and integrate those disciplines into the daily business routine of the startup.

What value can a CDO provide to a startup?  

Removing Barriers:

A CDO can provide a range of value to a startup.  The CDO looks at a company’s business through the lens of data, and is sensitive to both the value (revenue) cycle as well as the risks and obligations, recognizing they go hand-in-hand.  From this vantage point, they can enable the business by sourcing data and removing barriers, and can implement right-sized controls, proportional to actual risks and obligations. In effect. they can enable the data scientists – who seem to always “need…more…data…” – by providing relevant data, aligned with business objectives, where obligations and risks are managed elsewhere.  Call it “unencumbered data”.

Scientific Method:

A CDO understands and recognizes the transformative potential of data, but also a balanced sense of proportion – especially when resources are scarce.  By implementing structure around the activities of data scientists, a CDO can improve the chances that research will be fruitful and aligned with business objectives – with a necessary degree of transparency for stakeholders.  

Protection and Compliance:

Most information that companies want to use will have some kind of requirements around handling.  These will emanate from one or more of the following:

  1. The data is regulated; many data projects will incorporate information about people — PII or PHI — likely controlled by one or more regulatory frameworks (e.g., GDPR, CCPA, GLBA, HIPAA/HITECH)
  2. The data belongs to others and is governed by a contract or Data Use Agreement
  3. The data is valuable and needs to be protected – these protections might be present as a result of the data being regulated.
  4. A breach of the data could result in harm or loss, either to the company or to data owners, and should cause the company to respond in a certain way.

The CDO, who should understand the nature of data, can work with the CISO and counsel to implement proper controls to protect the data and comply with requirements.

Ethics:

By understanding the business and compliance perspectives of data, the CDO can provide perspective on the ethics of data use.  So much of the new digital economy is exploring uncharted territory, where potential uses haven’t yet been imagined. There are lines not yet drawn around what industry should do, even though they can do it.  Data-driven inventions can cause real or perceived harm to consumers as they disrupt industries.  Whether its financial services, advertising/marketing, insurance, consumer electronics, or the breadth of online applications and properties.  Data is central to these and a misstep can be catastrophic.

Optics:

Transparency is a cornerstone of the capital markets.  And while data-driven startups are inventing new ways to conduct business and benefit consumers, much of it is betting on the future.  With so many unknowns, appointing a CDO can help inspire confidence that a data-dependent startup is approaching their objective with a view to managing their data assets for the longer term.

What can a CDO do?

85% of the time, “Big Data” initiatives fail to meet their objectives, and 50% of startups fail in the first year.  Start-ups relying on data can’t afford many false starts. The CDO can spearhead data management activities that can, in aggregate, reduce risk of project failure and increase the likelihood of achieving the desired outcome.  These might include

  • Vision and strategy, involving leaders across the company
  • Data inventory
  • Data architecture
  • Data acquisition
  • Data maintenance and quality
  • Data retention and disposition,
  • Risk assessments, protection and compliance processes

While these are not necessarily discrete activities, and should certainly be scaled to the situation, having a framework in place would be very useful to (1) enable growth, (2) permit introduction of different data sets, and (3) give Boards of Directors, auditors, reviewers and regulators a level of comfort that the company takes data management seriously.

Balancing cost vs value?  Alternatives…

Many early stage startups are focused on laying out the important initial groundwork to sustain themselves — developing products, recruiting talent and identifying customers.  As they move through funding stages and become established, they might be looking toward aggressive growth, IPO and engaging in discussions to be acquired. This is a sliding scale – and it may not make sense to appoint a full-time CDO initially.  Startups should consider engaging a consultant or a CDO on a contract basis to implement and appropriate framework. As time and circumstances evolve, the time commitment can be adjusted.

Who should drive the decision?

The role is so important and strategic, that the CEO should drive the decision to appoint a CDO.  The CDO should expect to work closely with the CEO, as well as the rest of the executive team. Moreover, the CDO should expect to meet with the investors and advisory board to reinforce the role and how it will help the company accelerate forward.

Conclusion

It goes without saying that startups leveraging data science are not at odds with managing data, or the scope of a CDO.  They are extremely complimentary, to the point where an CDO can dramatically improve the probability of a data program, or data-dependent startup, succeeding.  

CDO, CPO, Information Management and Governance, Information protection, Privacy

CDO’s Role in Managing Data Breaches

James Howard

In the span of a week, we’ve see data breaches affecting 600 million people.  For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined.  And the damage may not be done, as scammers and other bad actors frequently take advantage of the widespread confusion that follows these sorts of incidents.

Moreover, as the investigations unfold, we will begin to see the breadth and depth of what went wrong, who did what, and what steps must be taken to prevent this from happening in the future.

The risk manager in me says this will happen again, just as it’s happened before.  Data experts know all too well the challenges in implementing controls proportional risk, and counter-balancing every data initiative with the right set of controls — starting with asking whether the proposed data collection or use benefits are worth the downside risk.

So what does this mean to a Chief Data Officer?  In a word, everything. Why? Because data is at the center of every breach, and the CDO should be looking at the full picture around both data use and data risk.  The emerging role of the CDO in business positions them as a key executive in helping to reduce the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.

Before a Data Incident

In the normal course of business, the CDO should be executing against the company’s data strategy and vision, and maintaining an inventory of critical data assets.  The inventory should include key meta-data — ownership, obligations, location, permissions, value, uses, etc — which forms an important part of a periodic risk analysis.  

The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections.  The more progressive CDO’s will construct a holistic threat analysis that answers the question, “what could go wrong?” or “how might information be breached?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace.  Typically, such an analysis covers the spectrum from the seemingly mundane (accidents caused by carelessness or poor judgment), all the way to industrial espionage targeting company data, with a total of 5 or 6 categories in between. This analysis serves as a sounding board to validate the range of control activities, which includes everything from policy, to business practices, to training, to technical controls, and some instances where certain risks have to be accepted, insured against, or perhaps transferred elsewhere.

The CDO should provide business requirements to the CIO and CISO for appropriate technical measures to provide protections, which – depending on the sophistication of the company – could range from providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.  

The inventory shines a light on whether all data on hand is truly necessary, or whether some can be disposed of.  Moreover, the CDO’s analysis of business processes using data can also question whether all data being collected is necessary.

The Board of Directors, senior executive leadership and internal audit should – to appropriate degrees – be aware of how the company is using data as well as the CDO’s assessment of risk and mitigating controls.  This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling.

The CDO maintains relationships with counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs.  The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations.  These steps are key, because most breaches — especially where regulated data is involved — will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.

The CDO should own (or be a key stakeholder in) the data incident management process. This is the process whereby data incidents — data loss, possible breaches or exposures — are logged, analyzed and investigated.

During a Data Incident

Sometimes, a target organization is aware of a data incident as it’s occurring.  Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).

The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some data owners (e.g., Federal Government) have explicitly defined time frames to report data incidents, the CDO can get ahead of these requirements.  

Following a Data Incident

Companies should have a crisis management plan that includes defined procedures to be followed in the event of a cyber attack, data breach or exposure.  The details of these plans are tailored to each company, and generally emphasize damage control and protecting the brand — which in itself may follow one or more tracks, based on the nature of the incident.  

Stakeholders include senior leadership, legal counsel (sometimes supported by outside counsel), the head of security, the CIO and CISO, and often on-call cyber security consultants.  The overall objective is to understand what happened, how it happened, who perpetrated the event, what data was affected, overall impact, and how to repair the damage and prevent the same thing from happening again.  

Along these lines, the CDO should help assess the impact of the loss, in terms to cost to the company — defined as asset value, or competitive impact, or brand damage to the organization.  The CDO can be a resource to analyze the nature of the data to determine whether external notifications are required, and – in conjunction with counsel – whether there is a regulatory impact.  Who owned the data? Do regulators, customers, vendors, partners or clients need to be notified? Is there a timeframe requirement for notification and is there a specific process to be followed?  Do affected parties need to be offered – or are they likely to demand – compensation?

The CDO can help analyze what went wrong, by having an understanding of the processes and policy around data use.  Was there misuse of data or was it stored, processed or transmitted in ways it shouldn’t be? Was there a control failure, or absence of control?

This analysis concludes with a reassessment and remediation of processes and controls.

Conclusion

Most corporate leaders recognize the near-inevitability of a breach or hack.  This is due to a variety of factors, including the increased complexity of information systems, coupled with the expansion of data-rich cognitive and robotics initiatives, many of which rely heavily on data.  Data sets themselves are growing at a dramatic pace.

Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data.  This is not a bad thing at all, since it helps keep risk management activities proportional to risk and the nature of the data.

CDO’s should approach the challenge with a plan, emphasizing transparency and engaging appropriate stakeholders.  Whereas today, Boards often look to the CIO and CISO to understand how data handled and protected, going forward they will increasingly look to the CDO.

 

CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

James Howard

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.

 

Information Management and Governance, Privacy, Uncategorized

HBR and RSA’s Paper on the Impact of GDPR on Business

James Howard

Earlier this year, the Harvard Business Review published a paper prepared by RSA that discussed the impact of GDPR on business, and how companies can thrive under the rules.

The paper provides advice for companies getting started, and what needs to be in place for them to comply.  It also reflects on the “new normal”, and how companies will have to adopt new practices across the organization in order to remain compliant (e.g., Sales and Marketing will need to collect and maintain opt-in’s for the names on their mailing lists).

The final paragraph says:

Data privacy and security of personal data, then, are likely to become ever higher priorities for government as well as individual corporate customers in the years ahead. At the same time, both government and consumer demands on data—for access, mobility, and analytics—will only increase. This creates a tension, especially for large companies that manage large amounts of data, because “minimization—only collecting what you need and keeping it only as long as you have a legitimate reason—is at odds with innovation,” observes Skivington.

The route to successfully navigating between these two objectives starts with knowing the data you hold and providing notice to all EU data subjects to whom it belongs. The rest follows.

By articulating the opposing tension between the market demands for creative use of data, against the requirements to minimize data collected and retained, RSA correctly highlights one of several ways in which the strategic direction organizations want to pursue (with respect to data use) is increasingly at odds with the rights ascribed to data owners.  They don’t recognize that reconciling these opposing forces is central to the CDO’s responsibility and demonstrates the need to closely align the CDO and CPO.  And while the RSA paper focuses on GDPR and the rights to privacy of individuals, it is clear that the obligations imposed by all data owners will follow the same trajectory – especially as data is increasingly regarded as a leverage-able asset by more and more organizations.

The proverbial trains have left the station – one on the data-as-an-asset track and the other on the data-obligations track.  Both are equally important and must be reflected in the CDO’s vision and strategy.

Contact me at james@jhoward.us

 

Information Management and Governance, Uncategorized

Role of the CDO in Preserving Client Trust

James Howard

Trust takes years to build, seconds to break and forever to repair

Information in a client relationship:

In today’s business environment, the relationship between organizations and their clients is increasingly multidimensional, whether the clients are individuals, organizations or combinations of the two.  And increasingly, a dimension of that relationship involves transacting with information. Consider:

  • Products or services provided to the client rely, to a greater or lesser degree, on information that is provided by the client, enriched with other sources, or developed organically by the organization,
  • In the course of providing service, the organization takes in and may retain client information to directly or indirectly enable, enhance or enrich client experience.  For example, client account information, CRM data, payment information, loyalty profile information,
  • In many settings, organizations retain details of transactions for record-keeping purposes, required by regulations or industry standards.
  • In other settings, information taken in during a transaction contributes to enriching a dataset or training an algorithm, which in turn improves subsequent transactions

An element of client and customer loyalty is the belief in the ongoing usefulness and quality of the products and services, and trust that the organization will not violate the implicit or explicit terms of their relationship.   

So what is the CDO’s role in preserving trust?

Data is playing an increasingly prominent role in most organizations’ products and services, whether as net-new data-oriented offerings, or by enriching existing products and services, or helping to optimize internal decision-making and operations.  So how does data play into client trust? Three ways..

Data becoming part of products and services:

As data becomes more integral to products and services, it becomes a more important part of the client experience.  Depending on the use case, the breadth, depth and range of data used to enrich the product/service will increasingly become a competitive differentiator.  Just like the race to add features to on-up the competition, the richness of the data-sets will be used to distinguish one offering from another.  For example,

  • The AI features of a consumer electronic device (enhanced by a richer training data-set),
  • The relevance and number of true-peer companies represented in a data set used to recommend new or improved business practices,
  • The number and range of inputs into a cognitive engine used to forecast business trends,
  • The range of inputs and sensors measuring performance on an industrial device, and the real-time analytics optimizing performance, and
  • The number of additional data sources used to enrich a dataset licensed to clients, and the ability to adjust quickly.

Data vision describes the ways an organization wants to integrate data into products and services, and the data strategy lays out how the organization plans to get there.  The CDO is responsible for coordinating the data vision and ensuring execution of the data strategy including sourcing and managing data through its lifecycle.  

So it follows that the more the product or service relies on data to meet client needs, then the more the CDO is key to deliver on those data capabilities.  And the more the organization demonstrates the ability to deliver value, the more the client will trust the organization and their brand.

Data quality:

Quality and reliability are central to trust and a client’s desire to engage with an organization.  Trust that the quality and reliability will remain is key to maintaining an ongoing relationship. This is true whether at the consumer level, where the transaction involves buying a product, or choosing a doctor or bank, or at the corporate level, buying products or supplies, or engaging an advisor or a BPO.

As the products and services become more dependent on data, issues with quality and integrity of the data can have a greater impact on the product or services, which affects the reputation of the organization and the sustainability of the client relationship.  Revisiting the examples from above, consider the following:

  • What if the AI features of the consumer electronic device can’t respond to queries appropriately, or worse, actions are inconsistent?
  • What if the datasets used to base business recommendations are outdated, or the reference companies aren’t peers?
  • What if the data used to train a cognitive algorithm is representative of the business or transactions being modelled?
  • What of the sensors are tuned for metric units but comparative data is in imperial units? and
  • What if the organization doesn’t have rights to the data used to enrich a dataset licensed to a client?

Assessing risks to the quality of data starts with a data risk management cycle to understand what can reasonably go wrong, and the impact those events can have on the products/services relying on the data.  Flowing from this, an organization should implement a right-sized set of governance and management processes. These not only catalog data with a common ontology and taxonomy, but they track data lineage through its lifecycle from generation/acquisition, through use, and ultimately disposition.  Ideally, this overlays all key systems and processes in an organization, but pragmatically, they should prioritize the more impactful data (hence the use of the term “right-sized”).

As the CDO should be the business owner of the data governance and management processes, it follows that properly ensuring the quality of data augmenting client-facing products and services is the CDO’s responsibility.  This connects the CDO directly to the trust the clients have in the products and services provided by the organization.

Data protection:

The third leg in a CDO’s stool is data protection.  Data used to enhance products and services belongs to someone.  And that “someone” generally has an expectation for the protection of their information, expressed through a combination of policies, contracts and regulations.

When a client hands their over information to an organization, they generally do so with the expectation of getting something in return — usually some sort of service or added value.  The hallmark of a great business relationship is when the client feels comfortable sharing their most important information – relatively openly and seamlessly – in order to get proportional value in return, without having to worry whether the organization will accidentally or maliciously mishandle the information in any way.

So it follows that in order to ensure the client’s expectations are met with respect to handling of their information, the CDO needs to have a clear understanding of where the information is, what is it being used for, who has access to it, what are the constraints and limitations around its use, and what the client expectations are in the event of misuse/exposure/breach and finally, retention/disposition requirements.  The CDO also needs an understanding of the softer elements, meaning, what are the unstated expectations for handling the information that are baked into the relationship with the client, and how can they be met.  The CDO converts these to information protection requirements they provide to the CIO, CISO, HR, Physical Security, etc., within their organization.   

Failing to treat information in line with requirements and expectations can lead to a variety of consequences, including regulatory fines, brand damage and loss of client trust.

Conclusion:

As relationships between organizations and their clients gets more complex, and involves the transfer of increasingly valuable data, its incumbent on the CDO to understand and help the organization meet client expectations with respect to use, quality and protection of data.  In this way, the CDO helps preserve client trust.

Contact me at james@jhoward.us