Information Management and Governance, Information protection, Uncategorized

The Role of the CDO in Counter Industrial Espionage

When one thinks of spies and espionage, our imaginations usually turn to James Bond and Jason Bourne stories.  But with the end of the cold war, many former intelligence officers found more lucrative opportunities in the private sector, offering their services to non-government organizations that were perfectly willing to leverage the research and development capabilities of their competitors.

Fast forward to a time where the economic competition between companies affects political tension between nations, where some nations see nothing wrong with applying techniques developed during cold and shooting wars to provide their own companies with ill-gotten advantages – even at the expense of political allies.

Politico recently published this article that discusses how companies in the Bay Area have become targets for industrial espionage originating from China, Russia and other nation-states.  The article touches on the breadth and depth of the problem, including making a very interesting point that many companies choose not to prosecute espionage cases.  Its remarkable that even when faced with irrefutable evidence, many corporate leaders choose to ignore the facts and fail to notify stakeholders, for fear of how it will reflect on them or affect share price.

There is no doubt that building defenses against industrial espionage is a complicated task, made harder because (1) information has to remain available and usable by the organization, and (2) the organization has to anticipate a wide range of attack “vectors” whereas the intruder only needs one to work.  And if this wasn’t complicated enough already, industrial spies don’t just target computer systems, they target people.  If truly successful, the organization won’t know they’ve been hit until they see a foreign version of their new product, far too similar to the original to be coincidence.

This is not an IT problem

Most organizational leaders equate information to technology, conclude this is an IT problem, and assign responsibility to the CISO to implement appropriate protections.  This logic is flawed for many reasons, not the least of which is the CISO typically has little to no ability to enforce security policies for systems not “owned” by the CIO, nor have the organizational scope to address the behaviors of people.

Although information theft frequently include IT and cyber vectors, people are often near or at the epicenter of an espionage case.  People enable the theft either by actively participating, or by carelessly allowing it to happen.  Professionals who study espionage have determined that people are motivated to betray their employer (or country) for one of 4 reasons, using the acronym “MICE”:

  1. Money – the actor either sees this as a way to get rich, or are financially distressed (in debt, recently divorced, have a gambling problem, etc).
  2. Ideology – the actor believes the organization is somehow evil, and betrayal is a way for the actor to cause harm or suffering, thinking it was deserved,
  3. Coercion (or Compromise) – the actor has a secret that makes them vulnerable to extortion, or are threatened with physical harm to themselves or their loved ones,
  4. Ego – the actor thinks they are smarter than the organization, and can get way with it, or are enticed to spy believing it makes them more important.

None of these touch the ways in which people through their actions, innocently permit espionage to occur.  People are helpful and hold the door for others – especially if their hands are full.  Or take calls wanting to assist the caller (who they assume are authorized to ask what they are asking).  People are reluctant to challenge strangers in the hallways, and a startling number of companies don’t require employees and visitors to display ID badges while on-site.  Doors and drawers are left unlocked and clean-desk policies are seen as burdensome.  There is widespread belief that “it can’t happen to us.”

Where does the CDO fit in?

Industrial spies seek to steal information to gain economic or competitive advantage, and work tirelessly on creative ways to get it.

In basic economic terms, its worth stealing information if theft is cheaper than developing it — assuming ethics aren’t an issue, and the risk of getting discovered is acceptable.  So defending against the theft can be thought of as making it more expensive to steal information than it is to develop or acquire it through other means.

The CDO fits in because they are at the intersection of information use, protection and quality.  They should be in the best position to understand what information is most valuable, or put another way, what information, if lost or stolen, would cause what degree of harm to the organization.  And by understanding where and how information is stored and processed, they are in a good position to provide input on how to protect it.

The CDO’s strategy includes elements that are helpful to guard against industrial espionage.  Some steps the CDO can take include

  1. Classify information as an asset (even if informally, and not captured in the financial statements), and assign economic value, so that protections can be developed that are proportional to the value.
  2. Inventory information and work with the Data Governance Council to identify those broad categories that are most vulnerable and attractive to a spy.  They might include the obvious — patents, methods, formulas, algorithms — as well as some less obvious — executive contacts information, network diagrams, or even payroll information (knowing how much people are paid help know who may be vulnerable to financial pressure).
  3. Liaise with corporate security to gain an understanding of how they are working to protect the organization.  Many of these leaders are former law enforcement professionals, often don’t have an appreciation of the relative value of information within the organization, and will welcome allies on the “business side” to help raise awareness and improve corporate posture.
  4. There is no doubt that nowadays, cyber is a vector frequently exploited to steal information.  Liaise with the CISO to convey proper information protection requirements that need to be reflected in IT systems, proportional to the value of the information in question.
  5. Again, working with the CISO and compliance groups, adjust data loss prevention (DLP) tools to monitor for exfiltration of the most sensitive information.  These procedures need to include investigative and response processes, and may already exist (e.g., privacy rules often include requirements for breach management procedures, and these are very leverageable for this purpose).
  6. A significant part of a risk mitigation plan includes raising awareness among the organization’s people — employees as well as contractors and third-parties.  The CDO can spearhead this themselves, or collaborate with the group responsible for promulgating policy and procedures covering actions and behavior.
  7. Some spies have figured out that if their primary target (say, a high-tech company) is too hard to penetrate, they will instead shift focus to the target’s advisors (legal, auditors, consultants, professional services), since they are trusted by the primary target, but are often more vulnerable and may have weaker controls.  The CDO should understand what business partners and third parties have access or custody of information and — and along with the TPO (Third Party Oversight) function — can mitigate the relative information risk associated with them.

Protecting an organization against industrial espionage is very difficult for a wide range of reasons.  And since the asset sought after by the spies is information, the CDO is central to implementing protections and managing risk.  Success can’t be measure in absolute terms, but instead in increments — implementing small steps puts the organization in a better position than not having the small steps.

Contact me at james@jhoward.us

Information Management and Governance, Uncategorized

Role of the CDO in Preserving Client Trust

Trust takes years to build, seconds to break and forever to repair

Information in a client relationship:

In today’s business environment, the relationship between organizations and their clients is increasingly multidimensional, whether the clients are individuals, organizations or combinations of the two.  And increasingly, a dimension of that relationship involves transacting with information. Consider:

  • Products or services provided to the client rely, to a greater or lesser degree, on information that is provided by the client, enriched with other sources, or developed organically by the organization,
  • In the course of providing service, the organization takes in and may retain client information to directly or indirectly enable, enhance or enrich client experience.  For example, client account information, CRM data, payment information, loyalty profile information,
  • In many settings, organizations retain details of transactions for record-keeping purposes, required by regulations or industry standards.
  • In other settings, information taken in during a transaction contributes to enriching a dataset or training an algorithm, which in turn improves subsequent transactions

An element of client and customer loyalty is the belief in the ongoing usefulness and quality of the products and services, and trust that the organization will not violate the implicit or explicit terms of their relationship.   

So what is the CDO’s role in preserving trust?

Data is playing an increasingly prominent role in most organizations’ products and services, whether as net-new data-oriented offerings, or by enriching existing products and services, or helping to optimize internal decision-making and operations.  So how does data play into client trust? Three ways..

Data becoming part of products and services:

As data becomes more integral to products and services, it becomes a more important part of the client experience.  Depending on the use case, the breadth, depth and range of data used to enrich the product/service will increasingly become a competitive differentiator.  Just like the race to add features to on-up the competition, the richness of the data-sets will be used to distinguish one offering from another.  For example,

  • The AI features of a consumer electronic device (enhanced by a richer training data-set),
  • The relevance and number of true-peer companies represented in a data set used to recommend new or improved business practices,
  • The number and range of inputs into a cognitive engine used to forecast business trends,
  • The range of inputs and sensors measuring performance on an industrial device, and the real-time analytics optimizing performance, and
  • The number of additional data sources used to enrich a dataset licensed to clients, and the ability to adjust quickly.

Data vision describes the ways an organization wants to integrate data into products and services, and the data strategy lays out how the organization plans to get there.  The CDO is responsible for coordinating the data vision and ensuring execution of the data strategy including sourcing and managing data through its lifecycle.  

So it follows that the more the product or service relies on data to meet client needs, then the more the CDO is key to deliver on those data capabilities.  And the more the organization demonstrates the ability to deliver value, the more the client will trust the organization and their brand.

Data quality:

Quality and reliability are central to trust and a client’s desire to engage with an organization.  Trust that the quality and reliability will remain is key to maintaining an ongoing relationship. This is true whether at the consumer level, where the transaction involves buying a product, or choosing a doctor or bank, or at the corporate level, buying products or supplies, or engaging an advisor or a BPO.

As the products and services become more dependent on data, issues with quality and integrity of the data can have a greater impact on the product or services, which affects the reputation of the organization and the sustainability of the client relationship.  Revisiting the examples from above, consider the following:

  • What if the AI features of the consumer electronic device can’t respond to queries appropriately, or worse, actions are inconsistent?
  • What if the datasets used to base business recommendations are outdated, or the reference companies aren’t peers?
  • What if the data used to train a cognitive algorithm is representative of the business or transactions being modelled?
  • What of the sensors are tuned for metric units but comparative data is in imperial units? and
  • What if the organization doesn’t have rights to the data used to enrich a dataset licensed to a client?

Assessing risks to the quality of data starts with a data risk management cycle to understand what can reasonably go wrong, and the impact those events can have on the products/services relying on the data.  Flowing from this, an organization should implement a right-sized set of governance and management processes. These not only catalog data with a common ontology and taxonomy, but they track data lineage through its lifecycle from generation/acquisition, through use, and ultimately disposition.  Ideally, this overlays all key systems and processes in an organization, but pragmatically, they should prioritize the more impactful data (hence the use of the term “right-sized”).

As the CDO should be the business owner of the data governance and management processes, it follows that properly ensuring the quality of data augmenting client-facing products and services is the CDO’s responsibility.  This connects the CDO directly to the trust the clients have in the products and services provided by the organization.

Data protection:

The third leg in a CDO’s stool is data protection.  Data used to enhance products and services belongs to someone.  And that “someone” generally has an expectation for the protection of their information, expressed through a combination of policies, contracts and regulations.

When a client hands their over information to an organization, they generally do so with the expectation of getting something in return — usually some sort of service or added value.  The hallmark of a great business relationship is when the client feels comfortable sharing their most important information – relatively openly and seamlessly – in order to get proportional value in return, without having to worry whether the organization will accidentally or maliciously mishandle the information in any way.

So it follows that in order to ensure the client’s expectations are met with respect to handling of their information, the CDO needs to have a clear understanding of where the information is, what is it being used for, who has access to it, what are the constraints and limitations around its use, and what the client expectations are in the event of misuse/exposure/breach and finally, retention/disposition requirements.  The CDO also needs an understanding of the softer elements, meaning, what are the unstated expectations for handling the information that are baked into the relationship with the client, and how can they be met.  The CDO converts these to information protection requirements they provide to the CIO, CISO, HR, Physical Security, etc., within their organization.   

Failing to treat information in line with requirements and expectations can lead to a variety of consequences, including regulatory fines, brand damage and loss of client trust.

Conclusion:

As relationships between organizations and their clients gets more complex, and involves the transfer of increasingly valuable data, its incumbent on the CDO to understand and help the organization meet client expectations with respect to use, quality and protection of data.  In this way, the CDO helps preserve client trust.

Contact me at james@jhoward.us

 

Information Management and Governance, Information protection, Uncategorized

Data Ethics and the CDO

A wise man once told a cheeky arachnid, “With great power comes great responsibility!”

This is a particularly relevant quote in the context of the evolving data economy. CDO’s may think of themselves as caped crusaders saving mankind, and the truth is they are indeed playing an increasingly critical role to help ensure that organizations can successfully transition to their rightful place in the new data economy.

Consider the following:

  • Overwhelmingly, CEOs believe leveraging data as an asset will be more than a game-changer, and will soon become a critical differentiator to remain successful and relevant – and not all companies will make it;
  • Available data – both volume and variety – continues to grow at an impressive rate;
  • Data science and tools are moving in lock-step with the data growth, finding new ways to derive value from data, creating transformative and disruptive opportunities;
  • Data events – intrusions, breaches and exposures – are also growing at an alarming rate; in 2018 alone, hundreds of millions of people-related records have been targeted, exposed or breached (and that’s just the ones detected); and
  • Regulators – notably the EU and the State of California – are responding with complicated requirements, that will impact a great majority of organizations, and more jurisdictions will follow.

What is the role of the CDO?

The CDO’s primary responsibility is to establish the vision and execute a strategy to leverage data in a responsible way.  This ranges from monetizing data directly, through sale or licensing data, to creating new or enhancing existing products and services with data, to optimizing operations by augmenting decision-making with data.  This is a tall order, and needs to combine insights into available opportunities, maturity of the organization to embrace change, and expectations of organizational Leadership with the support they provide.  After all, if leadership isn’t on-board, a data program is not likely to be successful.

The other responsibility addresses meeting the obligations tied to the data, which starts with data ethics.   Just because we can do certain things with data, should we?  Consider some inputs to that decision:

  • Harm– As with medicine, and as the business person overseeing data initiatives, the CDO should start from the commitment to “do no harm”. The CDO should have a methodology for analyzing and socializing potential data solutions to understand the potential consequential impacts.
  • Legality– The CDO should collaborate with counsel to develop a clear understanding of where legal boundaries lie. As with “do no harm”, organizations should not break the law.  The CDO has an important role, because sometimes there is legal risk (heightened probability that a law will be – or perceived to be – broken), and analysis presented to decision-makers should be clear.  As with other cutting edge sciences, senior leadership may not be as data-literate as the CDO or the data scientists.
  • Expectations– An initiative may be “legal” – technically – and even cause no actual harm, but the organization should be comfortable that stakeholders or clients would not be so disappointed with an outcome that the organization’s brand is impacted or clients go elsewhere. A consumer-client has a different tolerance level than client-companies; consumers take reactionary queues from society, media and social-networks, often with unpredictable results.  Client companies have their own stakeholders, regulators and clients to look out for, which drive their reaction.  Moreover, an un-harmful but “creepy” initiative may draw unwanted scrutiny from a regulator, resulting in the organization expending resources to address.
  • Profit – will the initiative make money, even if risks are mitigated and obligations are met, and expectations are intact? A CDO will be presented (pitched?) with dozens of cool ideas, and has to know how to analyze them for fit within the organization. This is trickier than it seems, because data science presents data-oriented opportunities in organizations not used to the data economy.   The decision-making process around investing in a new plant or product in, say, a manufacturing company may be very different than deciding to invest in a data-driven feature or capability.  And simply “willing it to happen” isn’t enough.
  • Consequences– Suppose the organization bets wrong.  What if the initiative fails to deliver on the planned profit, or simply doesn’t work?  This is manageable through various pathways – insurance, hedges, accounting treatment, etc.  But what if the organization creates a proverbial monster?  Recent debate around AI comes to mind, with AI appearing to evolving in lab settings.  What if, in hindsight, the organization realizes they did something deeply wrong or harmful – should they have been expected to anticipate and alter course?  Recently, companies have ceased to exist because they pursued what seemed like sanctioned or low-risk data-driven initiatives, failing to anticipate social and political outrage.

The data economy presents opportunities never before available to business.  Some organizations will choose to gamble risk against profit.  Others will take a step back and forego immediate opportunities, adopting a wait-and-see attitude.  Some from each group will succeed while others fail.

Like any new science that affects humanity, data science should adopt a canon of ethics that balances achieving benefit against the risk of harm.

No doubt the CDO plays a central role in making or orchestrating decisions and administering data.  As the steward of the data vision and strategy, the CDO must be able to think through the upsides and downsides with balance and objectivity and be willing to stand behind the ethics of decisions, after the fact.

Contact me at james@jhoward.us

Information Management and Governance, Privacy, Uncategorized

Bringing the C’s Together

The Chief Data Officer is in a unique position because they bring together the ever expanding catalog of available information and opportunities to bring value to their organizations. To be effective, they need to look at information objectively, realizing the upside potential, while managing risk and acknowledging their handling responsibilities.

An “I” in PII stands for INFORMATION

The range of information can and should include all the sources that can help achieve the desired objective, including information about people, such as Personally Identifiable Information (PII).  After all, PII is just a class of information, which in many cases can enhance the quality and value of products and services.

But PII is unique in that because it pertains to individuals, it is increasingly subject to a wide range of obligations, whether regulatory, contractual or ethical.  The Chief Privacy Officer is tasked with implementing the policies, procedures and controls around how PII is handled within an organization.

Since the scope of a CPO’s role is to manage compliance for information tied to individuals, and the CDO’s responsibility is around governing and managing the full body of enterprise information, it follows that the CPO responsibility is a subset of the CDO’s responsibility.

Bringing the CDO and CPO together

Traditionally, the CPO sits in the legal and compliance area of organizations, which positions them well to focus objectively on the treatment of the information, looking at it through a legal lense.

In last several years with the rapid growth of data science, there has been a significant refocus on how information is used in organizations, with the increased recognition of the benefit information leverage can bring. Organizations have responded by hiring data scientists and appointing CDO’s located within the business side to focus on leveraging information as an asset.

Having the CDO be organizationally separate from the CPO increases the challenges to have them collaborate, and raises compliance risk. Instead, having the CPO within the Office of the CDO — or even be the same person — provides the opportunity to leverage information with compliance built in, with clear accountability to operational leadership.

Why is this better?

Merging the CDO and the CPO roles provides organizational clarity around the commitment to pursue the opportunities data provides, while highlighting and recognizing the importance of respecting the compliance obligations.  The CDO should be equally conversant in business goals, and the data vision and strategy as they are in the data privacy program.

In addition to the positive optics around emphasizing the importance of privacy, this model embeds privacy in the fabric of operations, not as an after-thought.  It enables the goal of implementing Privacy By Design, and a Privacy Impact Assessment (PIA) becomes a “punctuation mark”, not a major activity.

Checks and balances

To be sure, colleagues (in Risk and General Counsel’s offices) would point out that a benefit of separating the CPO from core business operations is that it helps ensure organizational objectivity and independence, supposedly reducing the chances that privacy requirements can be deprioritized relative to revenue objectives.  But I would argue it happens anyway, in part because the separation raises the risk for privacy to be an afterthought. And implementing privacy requirements as an afterthought (or even just later in a project) greatly reduces the chances of success, while increasing cost and extending timelines.

So there are two key relationships that need to be in place to help ensure the effectiveness of the Privacy program:

  1. Counsel: Privacy is a legal concern, so the CPO/CDO should have a strong relationship and connection to Counsel.  Even the largest organizations rely on outside counsel to supplement the skills of in-house counsel. This is a great idea and should be formalized.
  2. Internal Audit: The CDO/CPO should work with internal audit to make sure data handling is included in the scope of the audit plan.  If there is an ERM (Enterprise Risk Management) plan, data risks and mishaps should figure prominently.

Organizations that are pursuing data leverage, whether as a source of new revenue, or a way to improve products and services or as a way to optimize management decision-making, should consider the significant benefits of merging the data management and privacy capabilities, as it may lead to a stronger – and safer – program, more aligned with the business.

Contact me at james@jhoward.us

Uncategorized

Data Literacy and the CDO

I attended a CIO Event in New York today and there was a great session focused on Data Literacy, presented by Jordan Morrow from QlikView.

Simply put, Data Literacy (in a business context) is a person’s ability to read, understand, analyze and communicate data as actionable information, including using data to support an argument or a proposal.  Jordan conveyed that only ~20-33% of those surveyed (including senior executives) considered themselves Data Literate. At the same time, 80% of senior executives see leveraging data as an asset will be critical for continued success and growth.  

Responsibility for increasing the data literacy falls to the CDO, and should be a high priority, as it is a prerequisite for an organization achieving maturity in the data leverage space, and is a springboard for data innovation.

The benefits are clear.  If an organization achieves a higher level of data literacy, they will:

  • Be able to define a vision that more closely aligns with overall mission
  • Develop a strategy that aligns with culture and is more implementable and focused on achievable objectives
  • Distribute the execution across the organization with more stakeholder buy-in
  • Include data as a basis for decision-making
  • Improve professional skepticism around quality of data

If people are sensitive to the nature of data, they can be expected to incorporate risk-awareness when deciding how to handle data – for example, knowing they are handling PII may cause them to exercise better judgement around it’s treatment, or ask an SME for guidance.

It’s a tall order, especially given the acknowledged low current state of literacy, but can still be approached in a pragmatic way.  There are a number of methodologies out there for increasing Data Literacy that can be adapter to an organization.  Here are some thoughts on approach:

  • The CDO should chair a leadership-level steering committee with representation from all business areas, which sanctions the CDO’s agenda and champions the program;
  • Data Literacy should be on the agenda as a core element and critical-success-factor;
  • Steering committee members should become data literate;
  • Careful thought should go into how the literacy program in rolled out:
    • Culture is hard to change (and requires ongoing messaging and overt steering committee/senior leadership support)
    • Training triggers eye-rolling, especially if it’s not closely tied to a person’s day to day responsibilities
    • Raising literacy is iterative, and should be tied to roll-out of capabilities or products, so awareness and training is relevant and just-in-time.
    • Wins should be celebrated.
  • Since richer datasets might incorporate regulated data, Data Literacy training/awareness should cover appropriate data handling, based the nature of the data.  This has the added bonus in that if it’s delivered just-in-time, it will be more relevant to the use-case being introduced.

I came away from the CIO Event reminded that even though CDO responsibilities are growing on the market-facing side (e.g., data monetization), they should also be responsible for ensuring everyone in the organization is realizing the benefits of the “data economy”.

Contact me at james@jhoward.us