Tag: security

CDO, CPO, IAPP, Information Management and Governance, Information protection, Privacy

Looking Ahead: The New Operating Model for Business

James Howard

COVID-19 has had a horribly disruptive effect on almost all people and aspects of society.  This paper starts a dialog around an admittedly tiny aspect of that and a view to the future.  It in no way should be seen to marginalize or trivialize the pain and suffering endured by the millions of people directly impacted by the pandemic.

On May 1st, CNBC published this article that discusses how some businesses are re-evaluating their need for physical office space in light of their experience with a majority of their workforce working remotely.

The rapid shift to work-from-home has served as a catalyst for change.  Many years ago, when video conferencing first became available, companies started to invest in equipment that was office-bound, hoping to reduce business travel. That never happened because the technology was temperamental, brands didn’t interoperate very well, there were never enough facilities, and the equipment required expensive point-to-point T1 lines.

Since then, there were advances in the technology along many orientations, including high speed internet to homes, corporate adoption of laptops, smartphones, and importantly, audio conferencing.  This enabled a shift toward work-from-home, and corporate shared office space – “hoteling” (universally adopted by consulting firms and hated by employees), smaller offices/cubicles sold euphemistically as “open concept” workspaces.  But many were still reluctant to use video (Dilbert summed it up well with a series of comics depicting people “working from home” taking video calls wearing their bathrobes).  Workers were far more comfortable with audio conferencing than video, but it still did a lot to get companies and workers more used to remote working.

The needle moved further toward remote workforce with the dramatic increase in off-shoring, leverage of contractors which in itself lessened the feeling of permanence of employment, and perhaps contributed to workers feeling more comfortable as individual contributors working from anywhere.  Paradoxically, there was a simultaneous shift toward urban living, as the number of young people wanting to drive or commute went down, which one might have thought would shift them back to offices.

Powerful Disruptor

All these shifts were gradual, and the net result was tidal shifts in the work model.  Leave it to nature to provide a dramatic disruption, which has resulted in remote working suddenly accounting for 95+% of non-essential workers.  The points raised in the CNBC article are not at all surprising, given how the experts are bracing for periodic reemergence of Corona, but are also supported by:

  • The high cost of commercial real estate and the need to manage costs
  • The remarkable advances in technology enabling remote working
  • The quality of life impact of time-wasting commutes

A shift to predominantly remote working has immediate benefits, including the opportunity to hire the most qualified workers without regard to their physical location, which helps address challenges businesses have faced hiring the right talent.  It also has consequences, such as the inevitable glut of empty office space.  The sudden reduction in the concentration of office workers has a significant impact to businesses relying on them – restaurants, shops, laundry, shoe-shine, even metropolitan transportation – as large portions of their customers stop coming.

Opportunities

In the past, there have been dramatic disruption to business leading to the shrinkage or elimination of entire industries.  Yet over time, business comes charging back.  Before Corona, unemployment was at record lows, and companies were clamoring for skilled workers.  This is after gloomy predictions of unemployment after waves of off-shoring everything from manufacturing to call centers to highly skilled workers.

What has to happen for remote working to become as effective as working from a managed location?

Physical space: Many people don’t have home offices and take over the dining room table instead.  This isn’t sustainable, since asking people to shift from a company managed location to home involves a level of disruption and the only financial beneficiary is the employer.   Wouldn’t it make more sense for the employer to provide each employee a remodeling budget (funded by savings resulting from reduced commercial real estate costs)?  Small contractors could build-out home offices based on guidelines or specifications defined by the employer.

Technology infrastructure: When someone works in an office, the employer provides a laptop and a portfolio of business applications, but also the infrastructure to provide access to those applications – physical connectivity, wi-fi, deskside support.  They establish standards that they are able to support in a cost-effective fashion.  This needs to be replicated in some fashion at home, at least for a portion of the workforce.  It’s not realistic to expect the worker to solve all their home technology issues and not impact their efficiency.  Solution?  A ramp-up of home technology service-providers (e.g., Geek Squad) who set up and support home offices.

Improved wireless: There is a race underway to roll out 5G infrastructure and public wi-fi 6 that promise high-speed performance that rivals (or beats) home-based/cable internet access.  This may be a boon for remote workers and their employers because it simplifies the support model by eliminating the so-called “last mile” connectivity to the individual house in favor of a more controlled infrastructure using transmitters on towers in public spaces.

Comforts and conveniences: As people get used to working remotely, their appetite for convenience goods and services will likely return.  This means the retail services that had been located near office buildings will cater to home-based workers.  To be sure, it won’t look the same, given that the density of customers is different.  There will be more home delivery or curbside service.  Will it be the same in terms of volume?  Probably in an overall sense, but the concentration will differ.  But it seems reasonable that the businesses that can cater to distributed remote workers will benefit.

Challenges – Privacy and Data Protection – a tiny slice

There is no doubt that as with any fundamental disrupter, there will be challenges to be met before we move to equilibrium – the so called “new normal”.  Among many others, information protection and privacy faces challenges.  Some years ago, a colleague authored a prescient paper entitled “Privacy in a Pandemic” that explored the reasonable tradeoffs to be made when balancing individual rights against the needs of society, famously captured by Spock as he sacrificed himself believing “the needs of the many outweigh the needs of the few… or the one”.  But the new equilibrium has implications for privacy and data protection in a more corporate setting.  While privacy regulation accommodate these priorities, privacy and data protection programs will have to re-calibrate their risk assessments and place new weight on risks made more prominent by the shift away from office-based workers, to one where the line between personal life and professional activity is blurred to the point where you can hardly tell the difference.  Clear desk policies went from being a constant real and philosophical debate to now being completely unenforceable, and therefore mostly moot.  Implementing sound technical controls that don’t disproportionately interfere with the ability to work will take time, and likely require new technology deployments.

Understanding purpose: A key enabler to pivoting data privacy will be a mature data governance program.  Making assumptions around higher level enterprise controls is no longer safe.  Instead, knowing the nature and location of data is far more important in order to protect while enabling use.  Providing more discrete permissions around the use of data will help lessen the risk of loss and unauthorized disclosure.  Understanding the purpose behind proposed use of data will enable assigning more discrete permissions.  Since preserving privacy is a lot more than just ensuring protection, the philosophy of understanding purpose also helps ensure appropriate use of data.

Fundamentals: Implementing new controls will take time and carries the risk of creating more frustration and confusion that benefit until the edges are smoothed out.  Privacy leaders should step back and consider the full breadth of their programs, leveraging all techniques to manage risk while avoiding unnecessary disruption.   An effective awareness program, for example, can go a long way to encouraging people to make safe decisions when handling data.

Summary

COVID-19 has created havoc in unprecedented ways, and has affected the lives of billions of people.  The human toll cannot be measured, and the suffering by so many should not be swept aside.  Experts are working through the optimal medical strategies while economists are still trying to model the short, medium and long term impacts to business.  Entire books will be written and college classes will be structured around the Coronavirus pandemic.  This paper has taken a very narrow slice of that and will hopefully start an open-minded dialog around how to help enable the future operating model for business.  The dialog can and will continue in months and years to come.

CDO, CPO, Information Management and Governance, Information protection, Privacy

CDO’s Role in Managing Data Breaches

James Howard

In the span of a week, we’ve see data breaches affecting 600 million people.  For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined.  And the damage may not be done, as scammers and other bad actors frequently take advantage of the widespread confusion that follows these sorts of incidents.

Moreover, as the investigations unfold, we will begin to see the breadth and depth of what went wrong, who did what, and what steps must be taken to prevent this from happening in the future.

The risk manager in me says this will happen again, just as it’s happened before.  Data experts know all too well the challenges in implementing controls proportional risk, and counter-balancing every data initiative with the right set of controls — starting with asking whether the proposed data collection or use benefits are worth the downside risk.

So what does this mean to a Chief Data Officer?  In a word, everything. Why? Because data is at the center of every breach, and the CDO should be looking at the full picture around both data use and data risk.  The emerging role of the CDO in business positions them as a key executive in helping to reduce the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.

Before a Data Incident

In the normal course of business, the CDO should be executing against the company’s data strategy and vision, and maintaining an inventory of critical data assets.  The inventory should include key meta-data — ownership, obligations, location, permissions, value, uses, etc — which forms an important part of a periodic risk analysis.  

The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections.  The more progressive CDO’s will construct a holistic threat analysis that answers the question, “what could go wrong?” or “how might information be breached?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace.  Typically, such an analysis covers the spectrum from the seemingly mundane (accidents caused by carelessness or poor judgment), all the way to industrial espionage targeting company data, with a total of 5 or 6 categories in between. This analysis serves as a sounding board to validate the range of control activities, which includes everything from policy, to business practices, to training, to technical controls, and some instances where certain risks have to be accepted, insured against, or perhaps transferred elsewhere.

The CDO should provide business requirements to the CIO and CISO for appropriate technical measures to provide protections, which – depending on the sophistication of the company – could range from providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.  

The inventory shines a light on whether all data on hand is truly necessary, or whether some can be disposed of.  Moreover, the CDO’s analysis of business processes using data can also question whether all data being collected is necessary.

The Board of Directors, senior executive leadership and internal audit should – to appropriate degrees – be aware of how the company is using data as well as the CDO’s assessment of risk and mitigating controls.  This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling.

The CDO maintains relationships with counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs.  The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations.  These steps are key, because most breaches — especially where regulated data is involved — will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.

The CDO should own (or be a key stakeholder in) the data incident management process. This is the process whereby data incidents — data loss, possible breaches or exposures — are logged, analyzed and investigated.

During a Data Incident

Sometimes, a target organization is aware of a data incident as it’s occurring.  Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).

The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some data owners (e.g., Federal Government) have explicitly defined time frames to report data incidents, the CDO can get ahead of these requirements.  

Following a Data Incident

Companies should have a crisis management plan that includes defined procedures to be followed in the event of a cyber attack, data breach or exposure.  The details of these plans are tailored to each company, and generally emphasize damage control and protecting the brand — which in itself may follow one or more tracks, based on the nature of the incident.  

Stakeholders include senior leadership, legal counsel (sometimes supported by outside counsel), the head of security, the CIO and CISO, and often on-call cyber security consultants.  The overall objective is to understand what happened, how it happened, who perpetrated the event, what data was affected, overall impact, and how to repair the damage and prevent the same thing from happening again.  

Along these lines, the CDO should help assess the impact of the loss, in terms to cost to the company — defined as asset value, or competitive impact, or brand damage to the organization.  The CDO can be a resource to analyze the nature of the data to determine whether external notifications are required, and – in conjunction with counsel – whether there is a regulatory impact.  Who owned the data? Do regulators, customers, vendors, partners or clients need to be notified? Is there a timeframe requirement for notification and is there a specific process to be followed?  Do affected parties need to be offered – or are they likely to demand – compensation?

The CDO can help analyze what went wrong, by having an understanding of the processes and policy around data use.  Was there misuse of data or was it stored, processed or transmitted in ways it shouldn’t be? Was there a control failure, or absence of control?

This analysis concludes with a reassessment and remediation of processes and controls.

Conclusion

Most corporate leaders recognize the near-inevitability of a breach or hack.  This is due to a variety of factors, including the increased complexity of information systems, coupled with the expansion of data-rich cognitive and robotics initiatives, many of which rely heavily on data.  Data sets themselves are growing at a dramatic pace.

Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data.  This is not a bad thing at all, since it helps keep risk management activities proportional to risk and the nature of the data.

CDO’s should approach the challenge with a plan, emphasizing transparency and engaging appropriate stakeholders.  Whereas today, Boards often look to the CIO and CISO to understand how data handled and protected, going forward they will increasingly look to the CDO.

 

CDO, CPO, GDPR, IAPP, Information Management and Governance, Information protection, Privacy

Data Regulation is the New Reality

James Howard

On October 28th, the BBC’s Chris Baraniuk reported that recently, Tim Cook was in Brussels to address the International Conference of Data Protection and Privacy Commissioners.  In his remarks, Mr. Cook, referring to the misuse of “deeply personal” data, said data was being “weaponized against us with military efficiency”.  The BBC went on to report that Mr. Cook said “We shouldn’t sugar-coat the consequences,” and “This is surveillance.”

The speech reaffirmed Apple’s strong defense of user privacy rights, in contrast to competitors business model of driving advertising revenue by analyzing people online habits.   “The trade in personal data served only to enrich the companies that collect it, he added.”

Mr Cook also praised the EU’s new data protection regulation, the General Data Protection Regulation (GDPR), and went on to say that other countries “including my own,” should follow the EU’s lead toward protecting personal data.

To be sure, economics are at the heart of the concern.  Given the string of events that have occured, where data is mishandled or exposed, companies are at risk of losing customer and stakeholder trust, and without that trust, it not clear how they can drive or thrive in the data economy.  So coming together in support of a GDPR-like framework makes sense; it raises the conversation to a global level, and can result in a safer and more efficient environment in which to conduct business. Companies that embrace the framework will have more flexibility and resilience, while those firms paying it lip-service will eventually themselves be at the center of their own data crisis.

And therein lies the rub.  Compliance is not the same as data protection, especially when the regulation is principles-based and not prescriptive.  If the objective in implementing a framework is to comply with a regulation, one is tempted to overlay one’s current operating model with the requirements of the regulation and address gaps.  While it may reduce the risk of data incident, it will probably do so by coincidence.

On the other hand, if companies went about handling information with the strongest possible ethics, where they routinely assessed and addressed risk, recognized and avoided moral hazards, then the incidence of breach and miss-use would naturally be much lower.

The obvious competitive issue is that the second scenario is more expensive and less flexible.  Moreover, if a minority of companies took this approach, they would be less prosperous, and economic darwinism would cause them to go extinct.  And suppose there were a major data “catastrophe”, and the market environment were made up of a combination of those that embrace a high degree of data ethics and those that don’t, the market may not recognize and reward the higher resilience of the highly-ethical-but-less-profitable.  Instead, what we’ve seen is the mainstream market reacts with shock and incredulity and – at the prompting of regulators – implement newly-penned frameworks meant to avoid future occurrences of those events.

While one might argue that black swan events are by definition unforeseeable, one can equally argue that waiting for them to strike before implementing any sort of protection strategy simply opens the door to more black swans, and when events do occur, they result in unnecessarily high impact.

Apple’s Tim Cook makes clear his view that status quo is unacceptable.  As an unquestioned highly credentialed leader and insider in the technology (and information) world, his use of words like “weaponized” and “this is surveillance” should not be taken lightly — he knows what he’s talking about.  No doubt more so than the rest of us.

So as with most things, a thoughtful balance must be considered.  The dilemma is how to balance among the following:

  1. The rapid growth the volume to data aggregated by companies, across the board from business-to-consumers, to business-to-business companies, and ranging from companies providing services to those providing goods — and the increasing overlap.

  2. As a subset of that, the increase in the volume of personal data stored online, and the ability to gather even more data about individuals – habits, interests, locations, views and opinions.

  3. The rapid evolution in the science of data analytics, and the ramp-up of technology able to manipulate and compute data on a mammoth scale.

  4. Coupled with this, is the increasing ability to combine and analyze datasets in ways that allow for the creation of new and credible data and conclusions.

  5. As the size and richness of the datasets grow, so do the consequences of an event (whether a breach, misuse, abuse or exposure).  These range from a sense of creepiness when personal data is exposed, all the way to the very real consequences of insidious manipulation of our views and opinions.

In short, how can companies derive benefit from data, while managing the risks?  Neither momentum is letting up — the momentum around utilizing the expanding datasets, or the momentum around data events and subsequent responses from regulators.

One realistic way is to embrace and build a culture around managing all aspects of data, in lock step.  This is built into a data management program, led by a Chief Data Officer, comprised of three interdependent functions:

  1. Data Leverage, focussed on enabling the business use of information,

  2. Data Protection and Compliance, focussed on addressing risk resulting from data leverage, in terms of misuse, loss or non-compliance with obligations

  3. Data Quality, ensuring that the data being used retains its accuracy and integrity

This model is coupled with appropriate oversight, in the form of:

  1. A steering group with senior stakeholders from across the company,

  2. Direct oversight by CEO or COO,

  3. Connectivity into other key functions, including the CIO, CISO, HR and Legal,

  4. Active oversight by the Board of Directors, to support business initiatives and agree with risk mitigations plans.

A standing filter for any and all data initiatives needs to be ethics, and a consideration for the consequences of the genie getting out of the lamp.  Is the company willing to handle the outcome, if an initiative goes wrong? What is the risk, how is it managed, and are the right people accepting the residual risk?

The discussion is reaching a fever pitch with leaders of the most influential technology companies adding their voices to the conversation.  Any company wanting to join the data economy should consider doing so with an appropriate data management framework. This will position them to accelerate as new opportunities present themselves, while being able to manage events as they occur and accommodate compliance requirements that arise.

 

Information Management and Governance, Information protection, Uncategorized

The Role of the CDO in Counter Industrial Espionage

James Howard

When one thinks of spies and espionage, our imaginations usually turn to James Bond and Jason Bourne stories.  But with the end of the cold war, many former intelligence officers found more lucrative opportunities in the private sector, offering their services to non-government organizations that were perfectly willing to leverage the research and development capabilities of their competitors.

Fast forward to a time where the economic competition between companies affects political tension between nations, where some nations see nothing wrong with applying techniques developed during cold and shooting wars to provide their own companies with ill-gotten advantages – even at the expense of political allies.

Politico recently published this article that discusses how companies in the Bay Area have become targets for industrial espionage originating from China, Russia and other nation-states.  The article touches on the breadth and depth of the problem, including making a very interesting point that many companies choose not to prosecute espionage cases.  Its remarkable that even when faced with irrefutable evidence, many corporate leaders choose to ignore the facts and fail to notify stakeholders, for fear of how it will reflect on them or affect share price.

There is no doubt that building defenses against industrial espionage is a complicated task, made harder because (1) information has to remain available and usable by the organization, and (2) the organization has to anticipate a wide range of attack “vectors” whereas the intruder only needs one to work.  And if this wasn’t complicated enough already, industrial spies don’t just target computer systems, they target people.  If truly successful, the organization won’t know they’ve been hit until they see a foreign version of their new product, far too similar to the original to be coincidence.

This is not an IT problem

Most organizational leaders equate information to technology, conclude this is an IT problem, and assign responsibility to the CISO to implement appropriate protections.  This logic is flawed for many reasons, not the least of which is the CISO typically has little to no ability to enforce security policies for systems not “owned” by the CIO, nor have the organizational scope to address the behaviors of people.

Although information theft frequently include IT and cyber vectors, people are often near or at the epicenter of an espionage case.  People enable the theft either by actively participating, or by carelessly allowing it to happen.  Professionals who study espionage have determined that people are motivated to betray their employer (or country) for one of 4 reasons, using the acronym “MICE”:

  1. Money – the actor either sees this as a way to get rich, or are financially distressed (in debt, recently divorced, have a gambling problem, etc).
  2. Ideology – the actor believes the organization is somehow evil, and betrayal is a way for the actor to cause harm or suffering, thinking it was deserved,
  3. Coercion (or Compromise) – the actor has a secret that makes them vulnerable to extortion, or are threatened with physical harm to themselves or their loved ones,
  4. Ego – the actor thinks they are smarter than the organization, and can get way with it, or are enticed to spy believing it makes them more important.

None of these touch the ways in which people through their actions, innocently permit espionage to occur.  People are helpful and hold the door for others – especially if their hands are full.  Or take calls wanting to assist the caller (who they assume are authorized to ask what they are asking).  People are reluctant to challenge strangers in the hallways, and a startling number of companies don’t require employees and visitors to display ID badges while on-site.  Doors and drawers are left unlocked and clean-desk policies are seen as burdensome.  There is widespread belief that “it can’t happen to us.”

Where does the CDO fit in?

Industrial spies seek to steal information to gain economic or competitive advantage, and work tirelessly on creative ways to get it.

In basic economic terms, its worth stealing information if theft is cheaper than developing it — assuming ethics aren’t an issue, and the risk of getting discovered is acceptable.  So defending against the theft can be thought of as making it more expensive to steal information than it is to develop or acquire it through other means.

The CDO fits in because they are at the intersection of information use, protection and quality.  They should be in the best position to understand what information is most valuable, or put another way, what information, if lost or stolen, would cause what degree of harm to the organization.  And by understanding where and how information is stored and processed, they are in a good position to provide input on how to protect it.

The CDO’s strategy includes elements that are helpful to guard against industrial espionage.  Some steps the CDO can take include

  1. Classify information as an asset (even if informally, and not captured in the financial statements), and assign economic value, so that protections can be developed that are proportional to the value.
  2. Inventory information and work with the Data Governance Council to identify those broad categories that are most vulnerable and attractive to a spy.  They might include the obvious — patents, methods, formulas, algorithms — as well as some less obvious — executive contacts information, network diagrams, or even payroll information (knowing how much people are paid help know who may be vulnerable to financial pressure).
  3. Liaise with corporate security to gain an understanding of how they are working to protect the organization.  Many of these leaders are former law enforcement professionals, often don’t have an appreciation of the relative value of information within the organization, and will welcome allies on the “business side” to help raise awareness and improve corporate posture.
  4. There is no doubt that nowadays, cyber is a vector frequently exploited to steal information.  Liaise with the CISO to convey proper information protection requirements that need to be reflected in IT systems, proportional to the value of the information in question.
  5. Again, working with the CISO and compliance groups, adjust data loss prevention (DLP) tools to monitor for exfiltration of the most sensitive information.  These procedures need to include investigative and response processes, and may already exist (e.g., privacy rules often include requirements for breach management procedures, and these are very leverageable for this purpose).
  6. A significant part of a risk mitigation plan includes raising awareness among the organization’s people — employees as well as contractors and third-parties.  The CDO can spearhead this themselves, or collaborate with the group responsible for promulgating policy and procedures covering actions and behavior.
  7. Some spies have figured out that if their primary target (say, a high-tech company) is too hard to penetrate, they will instead shift focus to the target’s advisors (legal, auditors, consultants, professional services), since they are trusted by the primary target, but are often more vulnerable and may have weaker controls.  The CDO should understand what business partners and third parties have access or custody of information and — and along with the TPO (Third Party Oversight) function — can mitigate the relative information risk associated with them.

Protecting an organization against industrial espionage is very difficult for a wide range of reasons.  And since the asset sought after by the spies is information, the CDO is central to implementing protections and managing risk.  Success can’t be measure in absolute terms, but instead in increments — implementing small steps puts the organization in a better position than not having the small steps.

Contact me at james@jhoward.us

CDO, Information Management and Governance

CDO: Leveraging AND Protecting Data

James Howard

A lot is written about the important role the CDO has in promoting, monetizing and leveraging data in an organization. There is no doubt this is their primary function, and failing to fulfill the role can cost the organization in terms of revenue, competitiveness and market position. But the CDO has an equally important role in overseeing governance of data, and failing to embrace that part can lead to similarly negative outcomes.

I’m going to make a provocative statement: the data leverage market is charging ahead and the data governance disciplines are not keeping up. We will continue to see headlines describing data-related issues. Like opposite ends of a rubber band being pulled tighter and tighter, we are facing an increasing risk of a significant, potentially catastrophic, event. The risks aren’t only that data might lost or breached, but also that the organization might fail to gain full benefit from their data. The CDO plays a key role in managing the risk, avoiding issues, which in turn positions the organization to move faster and more nimbly.

Lets talk about the data:

A majority of companies are leveraging Big Data, with Financial Services and Healthcare leading the charge, and nearly 80% of executives believe that failing to embrace Big Data will cause companies to lose their competitive edge. Use cases range from customer and clickstream analysis, to fraud detection and predictive maintenance. The statistics go on and on, all pointing to an accelerating pace of growth and adoption.

  • Tools are becoming more sophisticated, and evolving to where increasingly, end-users can can pursue data tasks without involvement of IT staff. The analytics software and services market is $42B this year, expected to grow to $103B over the next 9 years.
  • And 59% of executives believe that their use of Big Data would be improved through the use of AI – often itself dependent upon the quality of data.
  • How much data? One estimate puts at 44 zettabytes by 2020 (44 TRILLION gigabytes)!

Point being, we are continuing the trajectory of very high growth in the use of data, and no end in sight as far as how much data there is to manipulate and leverage.

OK. So how is it being managed?

Increasingly, where in place, responsibility to establishing the vision and executing the strategy for data use falls to the Chief Data Officer. However, less that 20% of the top 2,500 companies have named CDOs, and they are often focused on the market-facing and revenue aspects of data. But even for those CDO’s whose responsibilities include governance (covering data protection and quality), there are no standard frameworks to employ to manage data.

By framework, I mean the mechanisms to manage data through it’s lifecycle the way one would manage any other asset. Gartner observes that while the traditional business disciplines provide some analogs to manage information as an asset, nothing has emerged tailored to information, let alone adopted as a standard. In fact, accounting standards don’t even include “information” on financial statements.

Within any governance framework should be Protection against reasonably foreseeable threats. There should be a model where protection of data is proportional to data (asset) value, relevant risks and threats, and which takes into account compliance obligations. To be sure, there are many sets of obligations, supporting methodologies with varying levels of adoption and maturity to address data protection along verticals (e.g., GDPR, HIPAA/HITECH, etc), and respectable frameworks to help ensure information security (ISO27001, for example). But these are rarely within the responsibility scope of the CDO. The CDO has to navigate different organizations to engage with one or more CIOs, CISOs and/or CPOs to help implement protections — and those other leaders’ priorities are often on other imperatives, and politics frequently interfere. So it’s difficult to see how an organization can simultaneously position itself to leverage data as a key asset, while also ensuring proper and proportional protection.

Stepping back looking at the bigger picture, I’m describing a market environment where opportunities for leveraging and profiting from data are exploding, while the mechanisms to manage and protect that data are lagging.

What can go wrong?

This pattern points to scenarios where data is breached, questionable data becomes over relied-upon, or where momentum builds to leverage and profit from data, but due to the lack of proportional governance, an event occurs (or worse, issues go undetected until outsiders raise the alarm) resulting in a loss or process failure, leading to financial and/or brand damage and regulatory intervention. A quick review of headlines reminds us this happens on an all too regular basis, leading to the inevitable questions such as, “how could this have happened?” or “you should have seen that coming”.

Is it avoidable? 

Black swan events are – by definition – unanticipated.  However, organizations can take significant steps to anticipate and either avoid or plan for these events, and prepare for potential outcomes by embracing information management and governance techniques. Remember, a data event – whether a breach or a perceived abuse of data – affects not only the organization in question, but also those around it, emanating outwards.

Data leverage and data management can be thought of as opposing forces pulling opposite ends of a rubber band — they will reach a breaking point, and the tension needs to be released in a controlled fashion. The CDO plays a key role, since they should be looking at the “big picture” of “big data”.

  • The CDO needs to be empowered and adopt a posture that balances pursuit of opportunity with proper governance – protection, quality, accuracy.
  • The CDO should be prominent in an organization, to begin addressing the many cultural barriers to information management.
  • The market needs to settle on a framework to manage information as an asset, recognizing it has value and utility to be exploited.

We are living in a world where data is everywhere and the ability to manipulate it for benefit is growing at an incredible pace. Market disruptions are occurring on a daily basis, often enabled by creative use of technologies that analyze data. Forward looking companies wanting to play in this space are looking to CDOs to help, and they need to be properly enabled. Now is the time to engage.