CDO, CPO, Information Management and Governance, Information protection, Privacy

Role of a CDO Supporting Boards of Directors

Executive Summary:

Companies are increasingly looking to leverage data as a new revenue stream or a way to increase efficiency.  However, risks related to data breach continue to figure prominently on Board agendas. A Chief Data Officer acting as an advisor can help Boards and Executive Leadership understand the risks and opportunities around data, which in turn, helps Boards fulfill their responsibilities to the organizations they oversee.

Introduction

Boards of Directors have an important and challenging role.  Among other duties, they are responsible to stakeholders for the performance of the organization they oversee.  This includes not only helping to enable business directions and objectives, but also ensuring Management properly identifies, manages and mitigates risks.

Two areas stand out among the ways that information and data figure prominently:  First, business opportunities created by rapid developments in data science and related computing platforms, and second, risks relating to data breach and loss, often under the heading “Cyber risks”.

Business opportunities

Business opportunities tied to information are becoming more important to companies.  Specifically, the significant increase in the role information re-use, leverage and monetization plays in many companies’ strategic plans, increasingly tied to AI and Digital Strategy.  These are outlined in terms of leveraging data science and the abundant range of available data to:

  • Create net-new products and services, including monetizing data, or
  • Enhance and augment existing products and services, or
  • Enrich management information to drive efficiencies.

These initiatives are not trivial, and the potential benefits are huge, whether as new revenue streams, or optimizing operations; many organizations view leveraging information at the strategic level as critical to their continued success – a matter of survival.  Paraphrasing George Orwell, “whoever controls the data, controls the future.”

And momentum is building at a remarkable rate, both in terms of the volume and breadth of usable data, as well as the sophistication of the tools designed to analyze and leverage data.  

Information risks and obligations

Information-related risk presented to Boards and senior executive leadership are often grouped together under the broader topic of Cyber.  These are generally risks related to breach of systems, theft or unauthorized disclosure of data, intrusions, threats to the integrity of systems and data, and the risk of system outages and disaster recovery.  Many recent incidents are where data is exposed on the internet and where the company realistically has no idea whether an actual loss has occurred.

A second category of information risk is also rapidly emerging with increasing consequence, and that relates to compliance with privacy-related information handling obligations and regulations.  These include, for example, the recently enacted EU GDPR (affecting the handling of personal information belonging to EU citizens), HIPAA/HITECH (affecting the handling of health information), and California’s CCPA (affecting the handling of personal information belonging to residents of California).  

Beyond the regulations, there are increasingly explicit requirements for handling data belonging to other stakeholders, spelled out in contracts or other “data use agreements”.  

Consequences for violating information-handling obligations include,

  • Financial: lost productivity, loss of customers, loss of competitive positioning, etc.,
  • Regulatory: fines or other measures imposed by regulators, if the company was at fault.  In the case of GDPR, fines can be as much as 4% of revenue.
  • Brand: loss of customer trust and confidence in the company’s ability to deliver, or to protect information entrusted to them.

Key questions

When evaluating company’s use of data, Board members and executive leadership should ask themselves certain key questions around how data is being leveraged and managed.  These include:

  • What approach is the company taking to leverage data?  What is the vision? The strategy? Is governance a component of the strategy?  Many companies are racing to implement data leverage plans, and in their haste to make headway, many have been hiring data scientists in leadership roles to drive tactical plans ahead.  As a result, governance is often overlooked. However, without proper governance, it will be hard to create a credible strategy reflecting the needs of the business, as well as identify all the opportunities, priorities, costs and risks.
  • Is the data leverage team (“data scientists”) following elements of the Scientific Method?  Many people calling themselves Data Scientists are proposing initiatives where they requisition increasing volumes of data so they can see what opportunities they can come up with.  By itself, this approach introduces risk, since the company may not have a clear idea what they are getting for their investment in big data. By analogy, pharmaceutical companies wouldn’t fund researchers to “play” in the lab letting them see what new drugs they can invent.  Companies pursuing plans to leverage data should do so following some formal methodology which includes articulating and testing hypotheses.
  • Has a data inventory been performed?  What obligations are tied to the data?  Most companies have sizeable volumes of data on hand, and many are asking how they can monetize and leverage the data.  An inventory is critical if the company is going to leverage or monetize data, and knowing obligations is key to understanding what you can do with data and structuring protections.
  • What is the most valuable data and where is it?  Most data classification schemes are very basic — only 2 or 3 classifications.  While these are simpler to implement for security purposes, they aren’t useful for determining relative value of data or what data is key, and can interfere with otherwise appropriate use and access.
  • Who has access to data, and is that access appropriate?  Without proper data governance, you can’t reliably know whether access to data is appropriate.  Being able to answer this question is required under certain privacy and banking regulations.
  • Is it available to the people who need it, and are safeguards appropriate?  Leveraging data requires that the right people can gain access to the data.  But even while its being processed, certain safeguards still need to be in place, and these may be different than for data “at rest”.
  • Have risks to information been assessed along IT and non-IT lines?  Risks should be assessed based on the business processes that manipulate data — not just IT repositories holding data, or applications touching data.  People are the biggest cause of data incidents, and are responsible — in some way — for most “insider threat” incidents.
  • If information were lost, stolen or exposed, how would you know?  Most companies invest in preventing theft or misuse of data, but its extraordinarily difficult to know when data has actually been breached.  Most of the time, companies find out when an outside agency — such as law enforcement, the press, or a “hacktivist” group tells them. Proper data governance and inventory can help reduce the risk of data loss, and allow the company to focus protection efforts on more important data assets.

Step back

Many enterprise risks concerning data elevated to the Board focus on the technology aspects of the risks.  This is often because that is how the company is organized — anything loosely connected to “data” is directed to the CIO and CISO.  Digging into the risks, however, often reveals that the underlying concern is data: it’s use and the consequence of an incident. Taking a step back, if the concern is data, it may be helpful to separate the data from the IT platform it sits on, and from there, zero-in on the issues – both opportunities and risks.

The role of CDO

Increasingly, companies are appointing CDO’s — Chief Data Officer — tasked with implementing governance over the data initiatives, and aligning activity to execute data strategy.   The responsibilities of the CDO vary across organizations, but in general, they should be looked to by the Boards to help understand and navigate data-related matters.

A good CDO focuses on all aspects data – opportunity, risks and obligations.  They are conversant on the technology tools that process, store and transmit data, and can help the Board members understand the topic with clarity so they can engage with executive leadership.  Board members should consider seeking support and advice from experienced CDOs to help them navigate data-related matters in the organizations they oversee.

Conclusion

Data has always been critical to organizations.  In recent years, its increasingly being recognized and treated as an asset that can be leveraged to provide added benefit to organizations, whether through increased revenue or operational efficiencies, and that benefit is tied to the rapidly evolving field of data science as well as the incredible growth in available data.  With the increased prominence of data at the strategic level, Boards of Directors and Senior Executive Leadership are expected to understand and provide direction around the use of data and management of related risks. CDO’s can serve as a valuable resource to help Boards in fulfilling their responsibilities.  

Contact me at james@jhoward.us

Information Management and Governance, Uncategorized

Role of the CDO: Learning from the Past to Enable the Future

The role of the Chief Data Officer is evolving quickly, and has been compared to the CIO of the early 90’s, in that the CIO role was just starting to take shape, companies were just beginning to appoint CIOs and they were struggling to define responsibilities.  The similarities don’t end there. Consider:

  • Early CIO’s had strong IT backgrounds, but often didn’t truly understand the business they were supporting.  In some other cases, it was the exact reverse – the CIO was a business person with limited (or no) understanding of IT
  • The CIO was a “second tier C-level executive”, often reporting to the CFO.  This was often because in those days, the CFO was thought of as the principal consumer of IT, and companies failed to recognize how computers – notably PCs –  were penetrating and enabling other areas of the business. This lead to frustration among users, “shadow IT” lacking formality and control, and an incomplete understanding of the overall IT portfolio and spend.
  • Every CIO was different, and every IT mission was different, and highly tailored to each company.  In hindsight, the industry was “fumbling” (a term not meant in a disparaging way) as the IT industry went through a massive evolution; some may remember Tom Watson’s prediction that there would only ever be a market for maybe five computers.
  • The CIO’s senior staff were often technically proficient in their respective areas, but not very aware of the needs of the business they were supporting – and they lacked the tools to build the necessary bridges.
  • There was very little interface with “users” (a new term at the time) because most systems under the CIO’s purview were specialized and vertical, or were infrastructure – and end-user computing was evolving on its own, outside the CIO’s scope of responsibility.
  • Numerous “disasters” have taken place tied to IT (whether failed initiatives, outages, breaches or hacks) and the post-event analysis often failed to properly address the underlying issue, perhaps due to lack of understanding, or a desire not to reveal the extent of the issue, or because the business was not fulfilling their responsibility relative to IT governance.

In 1994, Charles B. Wang published the book “Techno Vision: An Executive’s Survival Guide to Understanding and Managing Information Technology”.  In the book, Mr. Wang shines a light on the “disconnect” between IT and the business they support, as it relates to understanding the role technology can play, and he makes suggestions on how to address the gap.

Now in 2018, the CIO is a universally accepted role, but there are still plenty of examples where the CIO has limited (or no) understanding of the business, and the business leaders’ eyes glaze over when any technology topics arise.  And IT is one of the largest line items on corporate budgets.

Enter the CDO

Conservative predictions foresee a massive increase in number of information-related products and services, as well as company spend on information-related initiatives.  Not to mention the exponential growth of information itself.  It’s helpful to look at the “typical” CDO in 2018, as a way to anticipate trajectories and avoid similar pitfalls that were seen with the evolution of the CIO.  Consider for comparison:

  • Most organizations are recognizing the transformative potential that exists in leveraging information, but the majority have not appointed CDOs.  And some organizations have appointed CDOs internally who don’t have an information management background.
  • Many organizations have emphasized the technical aspects of information leverage, and have appointed Data Scientists as the top leaders in information management, who in turn have flushed out their teams with data scientists and analysts.
  • Certain segments of the market – insurance, for example – seem to view information management as an “IT thing” and often place the CDO under the CIO, which immediately limits their ability to be successful.
  • Many companies are reacting to steps taken by their peers, and have appointed “me too” CDOs with limited thought to their responsibilities, scopes and measures.  As a result, vision and strategies are incomplete or non-existent.
  • Upon arrival, many CDOs are dumped on, getting assigned responsibilities that are at best loosely tied to information, but weren’t necessarily part of the scope originally envisioned.  This immediately interferes with their ability to deliver, even if the new responsibilities are appropriate and legitimate.
  • CDO’s teams are often thinly staffed, and are expected to transform the organization by exerting political influence on other leaders, often who have conflicting agendas or are protecting their turf.
  • Many business leaders speak about, but don’t understand, the strategic role that information leverage can play in their organizations, due to a lack of data literacy.

To be sure, none of these should be seen as evidence that the CDO is a passing fad or a failure.  Quite the opposite: there is a recognized need for a CDO, who is emerging as the executive who must pull together and execute a strategy to gain benefit from leveraging information.  Unlike other trendy business fads, the CDO is tasked with making use of a resource that is already there – and growing – increasingly recognized as key to greater prosperity.  By investigating the challenges faced by many early CIOs, there are opportunities for the CDO to learn from the past, and avoid similar issues.  

Support and Empowerment

For most forward-looking organizations, the CDO should be a company-wide role.  The CDO should be seen as a senior executive, should report to the highest levels of the organization, and have broad authority to effect policy and influence behavior.  They should have visibility and accountability to the Board of Directors. In terms of support, the CDO should have resources to execute in a credible way, including personnel and tools.   

Scope and Responsibility

If an organization believes that information is their lifeblood, and that leveraging information is key to continued success (or relevance), then they are acknowledging the strategic importance of information.  The CDO’s scope should align with the role information plays — both in terms of opportunity and obligation. Meaning, they should be tasked with deriving benefit from information in a way reflective of their business, but should also be responsible for ensuring obligations are met and risk is managed for that data.  

Qualification

The CDO is not a technician; they are a business executive.  While it is difficult to imagine there are enough CDO’s in the market who have deep understanding of the businesses of their employers, a good CDO should be able to bridge their skills as an information leader to the businesses they are tasked with enabling.  Just as a banking or manufacturing executive knows banking and manufacturing, the CDO knows information management. And just as that banking or manufacturing executive doesn’t understand every technical nuance of their business, the CDO needs to know enough to direct and guide their specialists.

Structure

Charles Wang, in his book, discussed the disconnect between IT and the business they support, and the risk of this occurring with the CDO is just as real.  In the 24 years since he published the book, some business leaders are just as illiterate in IT as they were then, but the breadth of tools is immeasurably wider.  Data Science is maturing at an incredible pace, and businesses are struggling to understand the intersection between what they do and the potential value data can add.  To help address this, the CDO needs to establish strong relationships with the business counterparts, and help develop data strategies. They need to work with the data scientists to identify potential use cases and opportunities with data, getting the business leaders on board.  While the CDO has a high degree of responsibility for helping execute the data strategies, ultimately the business leaders are accountable to their own stakeholders for the success of the data initiatives within their areas.

One model to establish and maintain the relationships is through a governance council or steering group, chaired by the CDO and attended by senior leaders across the organization.  The members are responsible for their own information investments, and attend the council to help ensure alignment to vision and consistency of strategy.

Scientific Method

WikiPedia tells us that:

Scientific method is an empirical method of knowledge acquisition, which has characterized the development of natural science since at least the 17th century, involving careful observation, which includes rigorous skepticism about what is observed, given that cognitive assumptions about how the world works influence how one interprets a percept; formulating hypotheses, via induction, based on such observations; experimental testing and measurement of deductions drawn from the hypotheses; and refinement (or elimination) of the hypotheses based on the experimental findings.  (before the reader dismisses this for having come from Wikipedia, the definition is pretty consistent with other sources)

The adoption of Data Science in business frequently takes a very different approach, where data scientists are empowered, and ask for more and more data to “play” with to see what they can come up with.  Perhaps this was the result of companies moving directly to the technical solution without first establishing a business vision and strategy, in coordination with their own business leaders. While some very interesting discoveries were probably made, there is likely there were a high degree of false starts, or developments that served no business purpose, or instances where the obligations limiting use of data were violated.  And without an appropriate degree of skepticism, can they be certain the algorithms really work?

Perhaps a more structured approach makes sense, taking a page from Scientific Method.  The data strategy should be articulated by the business, and transformed into a series of initiatives, some of which require research and experimentations. Certain of these should be treated like research endeavours with hypotheses formed – with significant participation by both the data scientists and the business stakeholders – which are proven in a lab setting before productizing and deployment.  

Relationships

The CDO is going to have to rely on relationships to a great extent for several reasons, including (1) the role is new and evolving, (2) many of the responsibilities the CDO should take on are initially held by others, leading to political turf-wars, and (3) at least initially, the responsibility for execution of initiatives is shared with other business stakeholders.  

Certain key relationships stand out, including:

CIO: The CDO’s initial scope probably most closely overlaps with the CIO, partly because up until the CDO’s appointment, many information-related initiatives were likely assigned to the CIO by default.  It’s critical that the relationship evolve more to a service-provider/client model, where the CDO looks to the CIO to develop technology solutions to meet business requirements for information management, and the CDO has to be careful not to overstep and attempt to drive the architecture of the solutions.

CISO: A key responsibility for the CDO is information protection.  Whereas the CISO has historically been responsible for blanket IT security, the CDO should have greater insight into the relative value of information sets, as well as how they should be accessed, transmitted and processed.  Moreover, the CDO should have greater insight into unique handling obligations tied to particular information sets. Meeting those obligations and protecting the information is likely achieved by a combination of controls — administrative, technical, manual, policy, physical, etc., responsibility for which may initially be spread across the organization.  So the CDO should emerge as a stakeholder for the CISO, where the CDO provides requirements and the CISO implements controls to address those requirements.

CPO: Much of the information leveraged by an organization might be subject to regulatory requirements, and some of those my fall into the category of PII, generally managed by the CPO.  Whereas the traditional scope of the CISO overlaps with the CDO, in the case of the CPO, the CPO’s scope is entirely contained within the scope of the CDO (after all, the second “I” in “PII” stands for “Information”).  The privacy rules are only one set of obligations, and apply to only a portion of an organization’s overall information portfolio. So logically, the CPO should move into the office of the CDO — with appropriate relationships with legal counsel to ensure regulations are interpreted properly.

Regulators: In organizations beholden to regulatory oversight (banks, insurance companies, accounting firms, government contractors, healthcare institutions), analysis reveals that a key concern driving the regulations is the handling of information.  And since the CDO’s objective is to manipulate and leverage information, it follows that it’s critical for the CDO to ensure that proposed data-use initiatives conform to regulatory requirements by design. Moreover, everyone — including regulators — are grappling with the new ways information can be used, and the appropriate ways regulations apply.  So it’s critical that the CDO establish a relationship with their regulators, so the regulators see the organization’s use of data through a clear lens and react fairly. This also provides common ground and language in the event regulators identify potential issues — or if data incidents occur.

Risk Management: Most larger organizations have recognized the importance of proactively measuring, monitoring and mitigating risk along lines appropriate to their business structure and objectives.  These evolve from time to time as the business environment changes – for example, the formation of IT Risk Management functions over the last 10 years. They are very useful for a variety of reasons, including establishing a common understanding of what can go wrong, potential consequences, and agreement on appropriate mitigating steps to take.  Given the rapid emergence and evolution of data science — algorithms, AI, cognitive, etc., — the market has limited experience with assessing data risk, grappling issues, and establishing a balanced risk acceptance/mitigation model. And this evolution is taking place at a pace far greater than control and risk management techniques. In the past, implementing formal Risk Management usually follows a catastrophic event that serves as a wake-up call, and the pendulum swings hard back toward the conservative end of the spectrum.  That in itself is a risk, since organizations might overcompensate, lose momentum, give up favorable market position, and miss opportunities while the re-trench. A much better approach is for the CDO to incorporate risk management into processes, by design. Risk should be assessed during design phases and mitigated during development phases, not after the fact.  This strengthens the argument for embracing Scientific Method during the development of data initiatives.

Conclusion

These are exciting times to be involved with information management.  The science is evolving and technology is becoming powerful enough to allow organizations to do incredible things.  Companies are scrambling to invest and exploit the opportunities created by data, and are placing sizeable bets on what they hope will return profit, with some degree of luck.  But “hope” is not a business strategy, and some argue there is no such thing as “luck”. Appointing, supporting and enabling a CDO is a significant step to help ensure success of the program, and applying lessons learned from other new classes of executives can help ensure the success of the CDO.

Contact me at james@jhoward.us

Information Management and Governance, Information protection, Uncategorized

The Role of the CDO in Counter Industrial Espionage

When one thinks of spies and espionage, our imaginations usually turn to James Bond and Jason Bourne stories.  But with the end of the cold war, many former intelligence officers found more lucrative opportunities in the private sector, offering their services to non-government organizations that were perfectly willing to leverage the research and development capabilities of their competitors.

Fast forward to a time where the economic competition between companies affects political tension between nations, where some nations see nothing wrong with applying techniques developed during cold and shooting wars to provide their own companies with ill-gotten advantages – even at the expense of political allies.

Politico recently published this article that discusses how companies in the Bay Area have become targets for industrial espionage originating from China, Russia and other nation-states.  The article touches on the breadth and depth of the problem, including making a very interesting point that many companies choose not to prosecute espionage cases.  Its remarkable that even when faced with irrefutable evidence, many corporate leaders choose to ignore the facts and fail to notify stakeholders, for fear of how it will reflect on them or affect share price.

There is no doubt that building defenses against industrial espionage is a complicated task, made harder because (1) information has to remain available and usable by the organization, and (2) the organization has to anticipate a wide range of attack “vectors” whereas the intruder only needs one to work.  And if this wasn’t complicated enough already, industrial spies don’t just target computer systems, they target people.  If truly successful, the organization won’t know they’ve been hit until they see a foreign version of their new product, far too similar to the original to be coincidence.

This is not an IT problem

Most organizational leaders equate information to technology, conclude this is an IT problem, and assign responsibility to the CISO to implement appropriate protections.  This logic is flawed for many reasons, not the least of which is the CISO typically has little to no ability to enforce security policies for systems not “owned” by the CIO, nor have the organizational scope to address the behaviors of people.

Although information theft frequently include IT and cyber vectors, people are often near or at the epicenter of an espionage case.  People enable the theft either by actively participating, or by carelessly allowing it to happen.  Professionals who study espionage have determined that people are motivated to betray their employer (or country) for one of 4 reasons, using the acronym “MICE”:

  1. Money – the actor either sees this as a way to get rich, or are financially distressed (in debt, recently divorced, have a gambling problem, etc).
  2. Ideology – the actor believes the organization is somehow evil, and betrayal is a way for the actor to cause harm or suffering, thinking it was deserved,
  3. Coercion (or Compromise) – the actor has a secret that makes them vulnerable to extortion, or are threatened with physical harm to themselves or their loved ones,
  4. Ego – the actor thinks they are smarter than the organization, and can get way with it, or are enticed to spy believing it makes them more important.

None of these touch the ways in which people through their actions, innocently permit espionage to occur.  People are helpful and hold the door for others – especially if their hands are full.  Or take calls wanting to assist the caller (who they assume are authorized to ask what they are asking).  People are reluctant to challenge strangers in the hallways, and a startling number of companies don’t require employees and visitors to display ID badges while on-site.  Doors and drawers are left unlocked and clean-desk policies are seen as burdensome.  There is widespread belief that “it can’t happen to us.”

Where does the CDO fit in?

Industrial spies seek to steal information to gain economic or competitive advantage, and work tirelessly on creative ways to get it.

In basic economic terms, its worth stealing information if theft is cheaper than developing it — assuming ethics aren’t an issue, and the risk of getting discovered is acceptable.  So defending against the theft can be thought of as making it more expensive to steal information than it is to develop or acquire it through other means.

The CDO fits in because they are at the intersection of information use, protection and quality.  They should be in the best position to understand what information is most valuable, or put another way, what information, if lost or stolen, would cause what degree of harm to the organization.  And by understanding where and how information is stored and processed, they are in a good position to provide input on how to protect it.

The CDO’s strategy includes elements that are helpful to guard against industrial espionage.  Some steps the CDO can take include

  1. Classify information as an asset (even if informally, and not captured in the financial statements), and assign economic value, so that protections can be developed that are proportional to the value.
  2. Inventory information and work with the Data Governance Council to identify those broad categories that are most vulnerable and attractive to a spy.  They might include the obvious — patents, methods, formulas, algorithms — as well as some less obvious — executive contacts information, network diagrams, or even payroll information (knowing how much people are paid help know who may be vulnerable to financial pressure).
  3. Liaise with corporate security to gain an understanding of how they are working to protect the organization.  Many of these leaders are former law enforcement professionals, often don’t have an appreciation of the relative value of information within the organization, and will welcome allies on the “business side” to help raise awareness and improve corporate posture.
  4. There is no doubt that nowadays, cyber is a vector frequently exploited to steal information.  Liaise with the CISO to convey proper information protection requirements that need to be reflected in IT systems, proportional to the value of the information in question.
  5. Again, working with the CISO and compliance groups, adjust data loss prevention (DLP) tools to monitor for exfiltration of the most sensitive information.  These procedures need to include investigative and response processes, and may already exist (e.g., privacy rules often include requirements for breach management procedures, and these are very leverageable for this purpose).
  6. A significant part of a risk mitigation plan includes raising awareness among the organization’s people — employees as well as contractors and third-parties.  The CDO can spearhead this themselves, or collaborate with the group responsible for promulgating policy and procedures covering actions and behavior.
  7. Some spies have figured out that if their primary target (say, a high-tech company) is too hard to penetrate, they will instead shift focus to the target’s advisors (legal, auditors, consultants, professional services), since they are trusted by the primary target, but are often more vulnerable and may have weaker controls.  The CDO should understand what business partners and third parties have access or custody of information and — and along with the TPO (Third Party Oversight) function — can mitigate the relative information risk associated with them.

Protecting an organization against industrial espionage is very difficult for a wide range of reasons.  And since the asset sought after by the spies is information, the CDO is central to implementing protections and managing risk.  Success can’t be measure in absolute terms, but instead in increments — implementing small steps puts the organization in a better position than not having the small steps.

Contact me at james@jhoward.us

Information Management and Governance, Uncategorized

Role of the CDO in Preserving Client Trust

Trust takes years to build, seconds to break and forever to repair

Information in a client relationship:

In today’s business environment, the relationship between organizations and their clients is increasingly multidimensional, whether the clients are individuals, organizations or combinations of the two.  And increasingly, a dimension of that relationship involves transacting with information. Consider:

  • Products or services provided to the client rely, to a greater or lesser degree, on information that is provided by the client, enriched with other sources, or developed organically by the organization,
  • In the course of providing service, the organization takes in and may retain client information to directly or indirectly enable, enhance or enrich client experience.  For example, client account information, CRM data, payment information, loyalty profile information,
  • In many settings, organizations retain details of transactions for record-keeping purposes, required by regulations or industry standards.
  • In other settings, information taken in during a transaction contributes to enriching a dataset or training an algorithm, which in turn improves subsequent transactions

An element of client and customer loyalty is the belief in the ongoing usefulness and quality of the products and services, and trust that the organization will not violate the implicit or explicit terms of their relationship.   

So what is the CDO’s role in preserving trust?

Data is playing an increasingly prominent role in most organizations’ products and services, whether as net-new data-oriented offerings, or by enriching existing products and services, or helping to optimize internal decision-making and operations.  So how does data play into client trust? Three ways..

Data becoming part of products and services:

As data becomes more integral to products and services, it becomes a more important part of the client experience.  Depending on the use case, the breadth, depth and range of data used to enrich the product/service will increasingly become a competitive differentiator.  Just like the race to add features to on-up the competition, the richness of the data-sets will be used to distinguish one offering from another.  For example,

  • The AI features of a consumer electronic device (enhanced by a richer training data-set),
  • The relevance and number of true-peer companies represented in a data set used to recommend new or improved business practices,
  • The number and range of inputs into a cognitive engine used to forecast business trends,
  • The range of inputs and sensors measuring performance on an industrial device, and the real-time analytics optimizing performance, and
  • The number of additional data sources used to enrich a dataset licensed to clients, and the ability to adjust quickly.

Data vision describes the ways an organization wants to integrate data into products and services, and the data strategy lays out how the organization plans to get there.  The CDO is responsible for coordinating the data vision and ensuring execution of the data strategy including sourcing and managing data through its lifecycle.  

So it follows that the more the product or service relies on data to meet client needs, then the more the CDO is key to deliver on those data capabilities.  And the more the organization demonstrates the ability to deliver value, the more the client will trust the organization and their brand.

Data quality:

Quality and reliability are central to trust and a client’s desire to engage with an organization.  Trust that the quality and reliability will remain is key to maintaining an ongoing relationship. This is true whether at the consumer level, where the transaction involves buying a product, or choosing a doctor or bank, or at the corporate level, buying products or supplies, or engaging an advisor or a BPO.

As the products and services become more dependent on data, issues with quality and integrity of the data can have a greater impact on the product or services, which affects the reputation of the organization and the sustainability of the client relationship.  Revisiting the examples from above, consider the following:

  • What if the AI features of the consumer electronic device can’t respond to queries appropriately, or worse, actions are inconsistent?
  • What if the datasets used to base business recommendations are outdated, or the reference companies aren’t peers?
  • What if the data used to train a cognitive algorithm is representative of the business or transactions being modelled?
  • What of the sensors are tuned for metric units but comparative data is in imperial units? and
  • What if the organization doesn’t have rights to the data used to enrich a dataset licensed to a client?

Assessing risks to the quality of data starts with a data risk management cycle to understand what can reasonably go wrong, and the impact those events can have on the products/services relying on the data.  Flowing from this, an organization should implement a right-sized set of governance and management processes. These not only catalog data with a common ontology and taxonomy, but they track data lineage through its lifecycle from generation/acquisition, through use, and ultimately disposition.  Ideally, this overlays all key systems and processes in an organization, but pragmatically, they should prioritize the more impactful data (hence the use of the term “right-sized”).

As the CDO should be the business owner of the data governance and management processes, it follows that properly ensuring the quality of data augmenting client-facing products and services is the CDO’s responsibility.  This connects the CDO directly to the trust the clients have in the products and services provided by the organization.

Data protection:

The third leg in a CDO’s stool is data protection.  Data used to enhance products and services belongs to someone.  And that “someone” generally has an expectation for the protection of their information, expressed through a combination of policies, contracts and regulations.

When a client hands their over information to an organization, they generally do so with the expectation of getting something in return — usually some sort of service or added value.  The hallmark of a great business relationship is when the client feels comfortable sharing their most important information – relatively openly and seamlessly – in order to get proportional value in return, without having to worry whether the organization will accidentally or maliciously mishandle the information in any way.

So it follows that in order to ensure the client’s expectations are met with respect to handling of their information, the CDO needs to have a clear understanding of where the information is, what is it being used for, who has access to it, what are the constraints and limitations around its use, and what the client expectations are in the event of misuse/exposure/breach and finally, retention/disposition requirements.  The CDO also needs an understanding of the softer elements, meaning, what are the unstated expectations for handling the information that are baked into the relationship with the client, and how can they be met.  The CDO converts these to information protection requirements they provide to the CIO, CISO, HR, Physical Security, etc., within their organization.   

Failing to treat information in line with requirements and expectations can lead to a variety of consequences, including regulatory fines, brand damage and loss of client trust.

Conclusion:

As relationships between organizations and their clients gets more complex, and involves the transfer of increasingly valuable data, its incumbent on the CDO to understand and help the organization meet client expectations with respect to use, quality and protection of data.  In this way, the CDO helps preserve client trust.

Contact me at james@jhoward.us

 

Information Management and Governance, Information protection, Uncategorized

Data Ethics and the CDO

A wise man once told a cheeky arachnid, “With great power comes great responsibility!”

This is a particularly relevant quote in the context of the evolving data economy. CDO’s may think of themselves as caped crusaders saving mankind, and the truth is they are indeed playing an increasingly critical role to help ensure that organizations can successfully transition to their rightful place in the new data economy.

Consider the following:

  • Overwhelmingly, CEOs believe leveraging data as an asset will be more than a game-changer, and will soon become a critical differentiator to remain successful and relevant – and not all companies will make it;
  • Available data – both volume and variety – continues to grow at an impressive rate;
  • Data science and tools are moving in lock-step with the data growth, finding new ways to derive value from data, creating transformative and disruptive opportunities;
  • Data events – intrusions, breaches and exposures – are also growing at an alarming rate; in 2018 alone, hundreds of millions of people-related records have been targeted, exposed or breached (and that’s just the ones detected); and
  • Regulators – notably the EU and the State of California – are responding with complicated requirements, that will impact a great majority of organizations, and more jurisdictions will follow.

What is the role of the CDO?

The CDO’s primary responsibility is to establish the vision and execute a strategy to leverage data in a responsible way.  This ranges from monetizing data directly, through sale or licensing data, to creating new or enhancing existing products and services with data, to optimizing operations by augmenting decision-making with data.  This is a tall order, and needs to combine insights into available opportunities, maturity of the organization to embrace change, and expectations of organizational Leadership with the support they provide.  After all, if leadership isn’t on-board, a data program is not likely to be successful.

The other responsibility addresses meeting the obligations tied to the data, which starts with data ethics.   Just because we can do certain things with data, should we?  Consider some inputs to that decision:

  • Harm– As with medicine, and as the business person overseeing data initiatives, the CDO should start from the commitment to “do no harm”. The CDO should have a methodology for analyzing and socializing potential data solutions to understand the potential consequential impacts.
  • Legality– The CDO should collaborate with counsel to develop a clear understanding of where legal boundaries lie. As with “do no harm”, organizations should not break the law.  The CDO has an important role, because sometimes there is legal risk (heightened probability that a law will be – or perceived to be – broken), and analysis presented to decision-makers should be clear.  As with other cutting edge sciences, senior leadership may not be as data-literate as the CDO or the data scientists.
  • Expectations– An initiative may be “legal” – technically – and even cause no actual harm, but the organization should be comfortable that stakeholders or clients would not be so disappointed with an outcome that the organization’s brand is impacted or clients go elsewhere. A consumer-client has a different tolerance level than client-companies; consumers take reactionary queues from society, media and social-networks, often with unpredictable results.  Client companies have their own stakeholders, regulators and clients to look out for, which drive their reaction.  Moreover, an un-harmful but “creepy” initiative may draw unwanted scrutiny from a regulator, resulting in the organization expending resources to address.
  • Profit – will the initiative make money, even if risks are mitigated and obligations are met, and expectations are intact? A CDO will be presented (pitched?) with dozens of cool ideas, and has to know how to analyze them for fit within the organization. This is trickier than it seems, because data science presents data-oriented opportunities in organizations not used to the data economy.   The decision-making process around investing in a new plant or product in, say, a manufacturing company may be very different than deciding to invest in a data-driven feature or capability.  And simply “willing it to happen” isn’t enough.
  • Consequences– Suppose the organization bets wrong.  What if the initiative fails to deliver on the planned profit, or simply doesn’t work?  This is manageable through various pathways – insurance, hedges, accounting treatment, etc.  But what if the organization creates a proverbial monster?  Recent debate around AI comes to mind, with AI appearing to evolving in lab settings.  What if, in hindsight, the organization realizes they did something deeply wrong or harmful – should they have been expected to anticipate and alter course?  Recently, companies have ceased to exist because they pursued what seemed like sanctioned or low-risk data-driven initiatives, failing to anticipate social and political outrage.

The data economy presents opportunities never before available to business.  Some organizations will choose to gamble risk against profit.  Others will take a step back and forego immediate opportunities, adopting a wait-and-see attitude.  Some from each group will succeed while others fail.

Like any new science that affects humanity, data science should adopt a canon of ethics that balances achieving benefit against the risk of harm.

No doubt the CDO plays a central role in making or orchestrating decisions and administering data.  As the steward of the data vision and strategy, the CDO must be able to think through the upsides and downsides with balance and objectivity and be willing to stand behind the ethics of decisions, after the fact.

Contact me at james@jhoward.us