Tag: IT Risk Management

CDO, CPO, IAPP, Information Management and Governance, Information protection, Privacy, Risk management

Beyond the Blind Spots: The Efficiency Trap in Privacy Compliance for Mid-Market Companies

James Howard

In the rush to scale, many companies—ranging from start-ups to mid-market enterprises—often make a pragmatic, yet perilous, decision: they treat privacy compliance as a “side desk” assignment.

Whether it lands with the CISO, the IT Director, or the General Counsel, the mandate is usually the same: “Make it work, keep it lean, and don’t let it slow us down.”

As a result, we are seeing a massive shift toward “efficiency-first” privacy. For the non-specialist leader tasked with this responsibility, the pressure is immense. To bridge the knowledge gap, many are turning to Generative AI to draft policies or manage data maps.

But there is a fundamental difference between having a policy and operationalizing a program.

The AI Mirage and the Knowledge Gap

AI is an incredible tool for documentation, but it lacks the “institutional muscle memory” required for true governance. It can’t sit in an Audit Committee meeting and explain why a specific data flow was deemed a high risk, nor can it navigate the nuance of a complex cross-border data transfer agreement.

For the CISO, IT Director or Legal Officer, relying solely on AI or automated “checkbox” software creates a false sense of security. It leaves behind “blind spots”—the operational gaps where data actually lives, moves, and leaks.

The New Frontier: Internal AI Adoption and Overlapping Risk

The challenge is no longer just about protecting static databases; it is about the explosive, often unmanaged, use of AI tools across every department. From marketing teams using LLMs for copy to engineering teams using AI to refactor code, “Shadow AI” is the new Shadow IT.

This creates a dangerous overlap between AI Risk and Privacy Risk:

  • Data Leakage: Sensitive customer data or trade secrets being used to train third-party models.
  • Algorithmic Bias: Automated decisions that may inadvertently violate privacy rights or fair-practice regulations.
  • Compliance Triggers: Under frameworks like the EU AI Act or evolving state laws, the mere use of AI often triggers mandatory Data Protection Impact Assessments (DPIAs) that most non-specialists aren’t equipped to perform.

When AI and privacy risks collide, they create a “force multiplier” for liability. You cannot govern AI without a mature privacy framework, and you cannot have a modern privacy framework while ignoring your company’s AI footprint.

Building on a Framework, Not Just a Feeling

True privacy compliance isn’t about the software you buy; it’s about the framework you build and the processes you implement. Boards and Audit Committees are increasingly looking for evidence of Operationalized Compliance:

  1. Repeatable Processes: How do you handle a DSAR (Data Subject Access Request) on a Tuesday morning without it becoming a four-department fire drill?
  2. Risk Documentation: Can you demonstrate that privacy-by-design (and AI-by-design) was considered before the new product feature was pushed to production?
  3. Vendor Governance: Do you actually know what your third-party AI and SaaS providers are doing with your data?

The Strategic Value of the Fractional CPO

For mid-market firms—and the PE/VC firms that back them—hiring a full-time, six-figure Chief Privacy Officer is often overkill. Yet, leaving a CISO or IT Director to “figure it out” increases the risk of a regulatory bottleneck during due diligence or an exit.

This is where the Fractional CPO changes the math. A Fractional CPO provides the specialized oversight of an executive-level expert at a fraction of the cost. They don’t just “check boxes”; they build the framework that allows the CISO and Legal teams to execute with confidence.

The goal isn’t just to stay out of trouble. It’s to build a high-velocity business where privacy is a fuel, not a brake.

Conclusion: Moving From Risk to Resilience

In the modern regulatory landscape, “compliance” is no longer a static destination—it is a continuous operational state. For mid-market companies, the efficiency trap of delegating privacy to overextended non-specialists or relying solely on AI tools creates vulnerabilities that only become visible when it’s too late.

By integrating fractional expertise, leadership can move beyond the blind spots. You gain the ability to navigate the complex intersection of AI innovation and data protection without the overhead of a full-time executive hire. Ultimately, operationalizing your privacy program doesn’t just satisfy auditors or investors; it builds the trust and resilience necessary to compete in an AI-driven economy.

Questions for the Board & Leadership:

  • Is our privacy lead an expert, or a generalist wearing too many hats?
  • Do we have a clear inventory of where AI is being used and what data is being shared with it?
  • If a regulator knocked tomorrow, could we show an operationalized process, or just a folder of AI-generated PDFs?
  • Are we leveraging fractional expertise to de-risk our upcoming exit or audit?
CCPA, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy, Risk management

Why do we have such a hard time understanding, assessing and managing risk?

James Howard

Introduction

Risk is a real concept that manifests across life.   Within a business context, risk management is a valuable tool to help improve the probability of success.  This paper explores the role of a risk manager, and is applicable across the board – whether business processes, technology, security, privacy, information or enterprise.  The reader can easily extrapolate the ideas to any aspect of life.

Definition and Reporting

Definition of risk: The probability or threat of quantifiable damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action.

The key word is “probability” – the likelihood that the event will occur.  In some instances, that can be calculated empirically, if all inputs and effects are known, where triggers can be identified – even if random (roll of the dice).  Other times, probability can be estimated based on historical data around similar conditions (50% chance of rain).

Other times, especially in business settings, there are more variables than can be practically tracked and quantified.  In those settings, Risk Managers use judgment to assess the risk of an event occurring.  The risks are usually classified in a 3 or 5 point scale – say, red, yellow, green or severe, major, moderate, minor and insignificant.   And the more knowledgeable the Risk Manager, the more insightful their assessment of risk, but it still remains a probability.

Challenges

Communicating risk gets complicated when we start factoring in risk mitigating strategies – avoid, reduce, transfer, accept—and reduction techniques – controls, TOD/TOE, residual risk, control risk, etc.

Even within the mitigating strategies there are grey areas – avoiding has consequences (lost opportunities), acceptance doesn’t mean the adverse event will occur, reduction doesn’t mean eliminate.

While some leaders claim they are comfortable navigating uncertainty, there is no question that business hates risk: markets react to uncertainty, and “punish” companies that operate with too many unknowns, and reward those that demonstrate clarity.

People publish dashboards and discuss numbers of controls, as though they were currency – more controls must be better – even though one good (strong) control could replace many poor (weak) controls.  Even auditors are reluctant to rely on process controls and would rather verify every transaction instead (assuming they could).

So what’s the issue?

To some extent, we, as Risk Managers, are the issue.  When asked about risk, we articulate it in our own language:

Risk Manager to Client (or internal business stakeholder): “there is a risk that such-and-such could happen that has these consequences”

Client: “how likely?”

RM: “moderate”

Client: (thinks: “huh?”) “what can we do about it”

RM: “implement x-y-z control”

Client: “will that make it go away”

RM: “implementing this control will reduce the risk, but it leaves a residual risk”

Client: (thinks: “huh?”) “Is that a ‘yes’?  Why wouldn’t you just do it?  And what’s that mean?”

RM: “here – sign this ‘residual risk acceptance document’”

Client: “ok – done”.  (thinks: “thank god that’s over!”) Back to business as usual.

Let’s face, this exchange isn’t very helpful.  The Client clearly doesn’t understand the risk as a potential impact to his/her business, and the “residual risk acceptance document” is a rubber-stamp.

Who owns the risk?  Risk Managers say that their business process stakeholders own the risk, and the Risk Manager’s role is to explain the risk, options for control, and residual risk.  However, it’s fair to say that the business process stakeholders often doesn’t truly accept their role, or if they did, they would engage in a more meaningful dialog.  And the residual risk acceptance document effectively nullifies the dialog.

If the controls are effective, or for whatever reason, the risk fails to manifest, then what?  How often does the client step back and acknowledge that RM did their job and issues were avoided?  Or does the client question why the risk management exercise was undertaken?  On the other hand, if an adverse event takes place, despite controls, does the client look at RM as though they failed?  The cynical reader would point out that if the on-going processes of managing risk management were part of core operations, then you wouldn’t see a spike in RM funding after an event takes place; you might see some refinement or realignment, but not a huge uptick in funding…

An alternative approach

So the challenge is how to meaningfully communicate risk to leadership in a way that puts risk in a business context.

First, one must keep clear: generally speaking, risk can’t be eliminated if the business wants to undertake the activity that introduces the risk.  That said, the Risk Manager can keep the following in mind as these points might promote meaningful communication:

  1. Articulate the risk in familiar business terms (“speak English!”). Explain what would have to happen to trigger the risk.  If you describe a chicken-little event without explaining the triggers, you might get dismissed.
  2. Be realistic when describing the risk and the likelihood. The likelihood should include realistic related events.
  3. Propose options for mitigating the risk, including avoid-reduce-transfer-accept. Bring a reasonable amount of research to present viable options, and be able to articulate the residual risk.
  4. Understand appetite for risk at an appropriate level. A mid-level manager may have a different appetite for risk than the CEO.
  5. Consider what kinds of risks needs to be escalated and to what level: Don’t present a risk to a CEO in a “Enterprise Risk Management” setting that should be addressed by a mid-level manager.
  6. Be realistic in evaluating the consequences of the risk. Walk the stakeholder through understanding the various consequential outcomes to help determine an appropriate mitigating strategy.
  7. Make clear who owns the risk. Get rid of “risk acceptance” documents – if a risk is significant enough to warrant action, it should be pursued.  Risk Acceptance documents are an attempt to shift/assign responsibility, and if they are needed, then they will also be ignored in the post-mortem.
  8. Acknowledge that business environments are dynamic, and events rarely unfold negative risks occur. People intervene.  Processes engage.  The outcome is rarely what was predicted when the risk was recorded.  And the more catastrophic the risk, the more it morphs as it unfolds.

Many of these considerations apply in the post-mortem stage.  One of the big challenges in the risk management community is one of appropriate hindsight.  When evaluating changes to make in risk management in light of an event, it’s important to remember what was known and considered at the time risks were assessed.

The overarching themes in this article is that risk managers need to be realistic when articulating risks, consequences and controls.  Risk managers must recognize they need to bridge the communications gap to their stakeholders by describing risks in business terms that will resonate.

Risk is a fact of life in every aspect of business.  Bad stuff happens, and risk management is not risk “elimination”.  Risk managers play a critical role, and by thoughtfully supporting their stakeholders, they can help business accelerate forward.

 

 

CDO, CPO, Information Management and Governance, Information protection, Privacy

CDO’s Role in Managing Data Breaches

James Howard

In the span of a week, we’ve see data breaches affecting 600 million people.  For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined.  And the damage may not be done, as scammers and other bad actors frequently take advantage of the widespread confusion that follows these sorts of incidents.

Moreover, as the investigations unfold, we will begin to see the breadth and depth of what went wrong, who did what, and what steps must be taken to prevent this from happening in the future.

The risk manager in me says this will happen again, just as it’s happened before.  Data experts know all too well the challenges in implementing controls proportional risk, and counter-balancing every data initiative with the right set of controls — starting with asking whether the proposed data collection or use benefits are worth the downside risk.

So what does this mean to a Chief Data Officer?  In a word, everything. Why? Because data is at the center of every breach, and the CDO should be looking at the full picture around both data use and data risk.  The emerging role of the CDO in business positions them as a key executive in helping to reduce the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.

Before a Data Incident

In the normal course of business, the CDO should be executing against the company’s data strategy and vision, and maintaining an inventory of critical data assets.  The inventory should include key meta-data — ownership, obligations, location, permissions, value, uses, etc — which forms an important part of a periodic risk analysis.  

The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections.  The more progressive CDO’s will construct a holistic threat analysis that answers the question, “what could go wrong?” or “how might information be breached?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace.  Typically, such an analysis covers the spectrum from the seemingly mundane (accidents caused by carelessness or poor judgment), all the way to industrial espionage targeting company data, with a total of 5 or 6 categories in between. This analysis serves as a sounding board to validate the range of control activities, which includes everything from policy, to business practices, to training, to technical controls, and some instances where certain risks have to be accepted, insured against, or perhaps transferred elsewhere.

The CDO should provide business requirements to the CIO and CISO for appropriate technical measures to provide protections, which – depending on the sophistication of the company – could range from providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.  

The inventory shines a light on whether all data on hand is truly necessary, or whether some can be disposed of.  Moreover, the CDO’s analysis of business processes using data can also question whether all data being collected is necessary.

The Board of Directors, senior executive leadership and internal audit should – to appropriate degrees – be aware of how the company is using data as well as the CDO’s assessment of risk and mitigating controls.  This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling.

The CDO maintains relationships with counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs.  The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations.  These steps are key, because most breaches — especially where regulated data is involved — will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.

The CDO should own (or be a key stakeholder in) the data incident management process. This is the process whereby data incidents — data loss, possible breaches or exposures — are logged, analyzed and investigated.

During a Data Incident

Sometimes, a target organization is aware of a data incident as it’s occurring.  Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).

The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some data owners (e.g., Federal Government) have explicitly defined time frames to report data incidents, the CDO can get ahead of these requirements.  

Following a Data Incident

Companies should have a crisis management plan that includes defined procedures to be followed in the event of a cyber attack, data breach or exposure.  The details of these plans are tailored to each company, and generally emphasize damage control and protecting the brand — which in itself may follow one or more tracks, based on the nature of the incident.  

Stakeholders include senior leadership, legal counsel (sometimes supported by outside counsel), the head of security, the CIO and CISO, and often on-call cyber security consultants.  The overall objective is to understand what happened, how it happened, who perpetrated the event, what data was affected, overall impact, and how to repair the damage and prevent the same thing from happening again.  

Along these lines, the CDO should help assess the impact of the loss, in terms to cost to the company — defined as asset value, or competitive impact, or brand damage to the organization.  The CDO can be a resource to analyze the nature of the data to determine whether external notifications are required, and – in conjunction with counsel – whether there is a regulatory impact.  Who owned the data? Do regulators, customers, vendors, partners or clients need to be notified? Is there a timeframe requirement for notification and is there a specific process to be followed?  Do affected parties need to be offered – or are they likely to demand – compensation?

The CDO can help analyze what went wrong, by having an understanding of the processes and policy around data use.  Was there misuse of data or was it stored, processed or transmitted in ways it shouldn’t be? Was there a control failure, or absence of control?

This analysis concludes with a reassessment and remediation of processes and controls.

Conclusion

Most corporate leaders recognize the near-inevitability of a breach or hack.  This is due to a variety of factors, including the increased complexity of information systems, coupled with the expansion of data-rich cognitive and robotics initiatives, many of which rely heavily on data.  Data sets themselves are growing at a dramatic pace.

Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data.  This is not a bad thing at all, since it helps keep risk management activities proportional to risk and the nature of the data.

CDO’s should approach the challenge with a plan, emphasizing transparency and engaging appropriate stakeholders.  Whereas today, Boards often look to the CIO and CISO to understand how data handled and protected, going forward they will increasingly look to the CDO.

 

CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

James Howard

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.

 

CDO, CPO, Information Management and Governance, Information protection, Privacy

Role of a CDO Supporting Boards of Directors

James Howard

Executive Summary:

Companies are increasingly looking to leverage data as a new revenue stream or a way to increase efficiency.  However, risks related to data breach continue to figure prominently on Board agendas. A Chief Data Officer acting as an advisor can help Boards and Executive Leadership understand the risks and opportunities around data, which in turn, helps Boards fulfill their responsibilities to the organizations they oversee.

Introduction

Boards of Directors have an important and challenging role.  Among other duties, they are responsible to stakeholders for the performance of the organization they oversee.  This includes not only helping to enable business directions and objectives, but also ensuring Management properly identifies, manages and mitigates risks.

Two areas stand out among the ways that information and data figure prominently:  First, business opportunities created by rapid developments in data science and related computing platforms, and second, risks relating to data breach and loss, often under the heading “Cyber risks”.

Business opportunities

Business opportunities tied to information are becoming more important to companies.  Specifically, the significant increase in the role information re-use, leverage and monetization plays in many companies’ strategic plans, increasingly tied to AI and Digital Strategy.  These are outlined in terms of leveraging data science and the abundant range of available data to:

  • Create net-new products and services, including monetizing data, or
  • Enhance and augment existing products and services, or
  • Enrich management information to drive efficiencies.

These initiatives are not trivial, and the potential benefits are huge, whether as new revenue streams, or optimizing operations; many organizations view leveraging information at the strategic level as critical to their continued success – a matter of survival.  Paraphrasing George Orwell, “whoever controls the data, controls the future.”

And momentum is building at a remarkable rate, both in terms of the volume and breadth of usable data, as well as the sophistication of the tools designed to analyze and leverage data.  

Information risks and obligations

Information-related risk presented to Boards and senior executive leadership are often grouped together under the broader topic of Cyber.  These are generally risks related to breach of systems, theft or unauthorized disclosure of data, intrusions, threats to the integrity of systems and data, and the risk of system outages and disaster recovery.  Many recent incidents are where data is exposed on the internet and where the company realistically has no idea whether an actual loss has occurred.

A second category of information risk is also rapidly emerging with increasing consequence, and that relates to compliance with privacy-related information handling obligations and regulations.  These include, for example, the recently enacted EU GDPR (affecting the handling of personal information belonging to EU citizens), HIPAA/HITECH (affecting the handling of health information), and California’s CCPA (affecting the handling of personal information belonging to residents of California).  

Beyond the regulations, there are increasingly explicit requirements for handling data belonging to other stakeholders, spelled out in contracts or other “data use agreements”.  

Consequences for violating information-handling obligations include,

  • Financial: lost productivity, loss of customers, loss of competitive positioning, etc.,
  • Regulatory: fines or other measures imposed by regulators, if the company was at fault.  In the case of GDPR, fines can be as much as 4% of revenue.
  • Brand: loss of customer trust and confidence in the company’s ability to deliver, or to protect information entrusted to them.

Key questions

When evaluating company’s use of data, Board members and executive leadership should ask themselves certain key questions around how data is being leveraged and managed.  These include:

  • What approach is the company taking to leverage data?  What is the vision? The strategy? Is governance a component of the strategy?  Many companies are racing to implement data leverage plans, and in their haste to make headway, many have been hiring data scientists in leadership roles to drive tactical plans ahead.  As a result, governance is often overlooked. However, without proper governance, it will be hard to create a credible strategy reflecting the needs of the business, as well as identify all the opportunities, priorities, costs and risks.
  • Is the data leverage team (“data scientists”) following elements of the Scientific Method?  Many people calling themselves Data Scientists are proposing initiatives where they requisition increasing volumes of data so they can see what opportunities they can come up with.  By itself, this approach introduces risk, since the company may not have a clear idea what they are getting for their investment in big data. By analogy, pharmaceutical companies wouldn’t fund researchers to “play” in the lab letting them see what new drugs they can invent.  Companies pursuing plans to leverage data should do so following some formal methodology which includes articulating and testing hypotheses.
  • Has a data inventory been performed?  What obligations are tied to the data?  Most companies have sizeable volumes of data on hand, and many are asking how they can monetize and leverage the data.  An inventory is critical if the company is going to leverage or monetize data, and knowing obligations is key to understanding what you can do with data and structuring protections.
  • What is the most valuable data and where is it?  Most data classification schemes are very basic — only 2 or 3 classifications.  While these are simpler to implement for security purposes, they aren’t useful for determining relative value of data or what data is key, and can interfere with otherwise appropriate use and access.
  • Who has access to data, and is that access appropriate?  Without proper data governance, you can’t reliably know whether access to data is appropriate.  Being able to answer this question is required under certain privacy and banking regulations.
  • Is it available to the people who need it, and are safeguards appropriate?  Leveraging data requires that the right people can gain access to the data.  But even while its being processed, certain safeguards still need to be in place, and these may be different than for data “at rest”.
  • Have risks to information been assessed along IT and non-IT lines?  Risks should be assessed based on the business processes that manipulate data — not just IT repositories holding data, or applications touching data.  People are the biggest cause of data incidents, and are responsible — in some way — for most “insider threat” incidents.
  • If information were lost, stolen or exposed, how would you know?  Most companies invest in preventing theft or misuse of data, but its extraordinarily difficult to know when data has actually been breached.  Most of the time, companies find out when an outside agency — such as law enforcement, the press, or a “hacktivist” group tells them. Proper data governance and inventory can help reduce the risk of data loss, and allow the company to focus protection efforts on more important data assets.

Step back

Many enterprise risks concerning data elevated to the Board focus on the technology aspects of the risks.  This is often because that is how the company is organized — anything loosely connected to “data” is directed to the CIO and CISO.  Digging into the risks, however, often reveals that the underlying concern is data: it’s use and the consequence of an incident. Taking a step back, if the concern is data, it may be helpful to separate the data from the IT platform it sits on, and from there, zero-in on the issues – both opportunities and risks.

The role of CDO

Increasingly, companies are appointing CDO’s — Chief Data Officer — tasked with implementing governance over the data initiatives, and aligning activity to execute data strategy.   The responsibilities of the CDO vary across organizations, but in general, they should be looked to by the Boards to help understand and navigate data-related matters.

A good CDO focuses on all aspects data – opportunity, risks and obligations.  They are conversant on the technology tools that process, store and transmit data, and can help the Board members understand the topic with clarity so they can engage with executive leadership.  Board members should consider seeking support and advice from experienced CDOs to help them navigate data-related matters in the organizations they oversee.

Conclusion

Data has always been critical to organizations.  In recent years, its increasingly being recognized and treated as an asset that can be leveraged to provide added benefit to organizations, whether through increased revenue or operational efficiencies, and that benefit is tied to the rapidly evolving field of data science as well as the incredible growth in available data.  With the increased prominence of data at the strategic level, Boards of Directors and Senior Executive Leadership are expected to understand and provide direction around the use of data and management of related risks. CDO’s can serve as a valuable resource to help Boards in fulfilling their responsibilities.  

Contact me at james@jhoward.us