Information Security to Justify Data Governance

ART04x - editedMany organizations consider Data Governance to be a daunting task that requires dedicated resources and consumes an inordinate amount of time and energy. The perception is that it creates a sense of command and control that does not suit the culture of the organization.

However, Data Governance can be non-invasive!* The secret is to piggy-back it onto an existing organizational strategy.

To be successful, a Data Governance program needs a Sponsor who understands the need for, and strongly supports, the cause. Finding an existing strategy that can support the business value for the existence of a DG program, and a Sponsor who believes in the value of Data Governance, is crucial.

One such strategy could be Information Security. A significant portion of a company’s value is in its data. Information security is a strategy used to protect the confidentiality, integrity, and availability of data. It aims to prevent or minimize the impact of security incidents and to reduce risk to a level that is acceptable to the business. Cyber threats and hacks are at a record level, and Cyber Crime accounts for 74.1% of the motivation behind attacks. *

Information Security as a Justification for Data Governance

Both Information Security and Data Governance share one common goal – Protect Data! Data Governance is a fundamental part of security. It ensures that the right people have the right access. While Information Security makes sure that Enterprise Data is safe and locked down, a Data Governance program ensures that this safe data is accessible across the organization in a controlled manner. Data Governance and Information Security are key foundations for an enterprise Cyber Security strategy.

Let us use the analogy of a home. It is important to keep your home safe from intruders trying to enter or hackers trying to break into your computers to steal your personal information. To ensure that there is no intrusion, precautions are taken by having locks for the doors, installing security alarms, and setting up anti-virus software on computers. Only authorized individuals living in the home have access to enter the house and use the computers. Access to information is locked down. This is security.

However, a secure home does not always translate into a peaceful home, or one that anyone would want to live in. A peaceful home requires that individuals in the home can move about, use the various rooms and appliances, and be free from internal chaos. This can only happen when roles are assigned to individuals to manage the household.

The roles can be broken down as follows:

  • Sponsor: This is the individual who owns the home and takes on the responsibility of managing the household.
  • Council: These are individuals representing each of the units in the household. Units can vary from finances, the kitchen, the house, the garden, etc. These are accountable members making tough decisions. Usually, they are the parents.
  • Stewards: These are SMEs who are experts in their field and who ensure that they manage the area of expertise by resolving any issues and abiding by a set of rules. This can be landscapers, house cleaners, etc.
  • Steward Coordinators: These are key individuals in the household who are responsible for finding stewards that can take on various roles within the household. This role is responsible for making sure that any changes to the rules of the home are clearly understood and propagated to the rest of the household. Again, these are typically parents.

While it is important to lock down access to the home, it is equally important that inside the home there is a set of processes that ensures efficient management of the household.

How to Leverage Information Security as a Sponsor

Effective Information Security requires a thorough understanding of the enterprise’s Data Landscape. The first step is to set up Data Classification. A Data Classification document may contain the following details:

Screen Shot 2017-07-16 at 10.55.30 PM

The next step is to understand the IT Systems that store categorized data elements. The Common Data Matrix referred to in Rob Seiner’s “Non-Invasive Data Governance” book is an excellent artifact to capture all necessary details such as Data Classification categories, list of Data SMEs, Systems/Applications that support the classified data elements, and Business Units that use the data elements under different capacities (consumers, creators etc.).

How This Will Help

Data Classification documents and a Common Data Matrix* are great inputs to initiate a Data Governance program. They enable you to:

  • Effectively document the data landscape and create awareness within the organization of what data exists and where it is sourced.
  • Influence senior management to be aware of, and committed to, safety of data within the organization, thus creating awareness of a need to have good standards. This will help identify a sponsor for the program.
  • Identify SMEs who can perform roles of Data Stewards to monitor and maintain data units within their specific business areas.
  • Create effective policies and standards based on inputs that will not disrupt the working culture of the organization.

Next Steps

An engaged and supportive Executive sponsor is the key to a successful Data Governance program! The sponsor must understand and see the need for a Data Governance program within the organization. The sponsor can be from any business unit within the organization, but since Data Governance and Information Security are so tightly entwined, a sponsor from Information Security is a great candidate.

The factors that enable a successful Data Governance program are business alignment, engagement, and effective execution and change management. Try to find potential Data projects or efforts within the organization and use them to attract a sponsor by creating better awareness of structure or the lack thereof, and by highlighting the business value that Data Governance can provide to the organization. Most importantly, align your Data Governance proposal to key strategic initiatives like Information Security.


Sources

[1] Bob Seiner’s book “Non-Invasive Data Governance” outlines the effort as the practice of applying formal accountability and behavior to assure quality, compliance, security and protection of data. The Common data matrix from this book is a very useful template. This template outlines all required Data Classification details in a single matrix.

[2] http://www.hackmageddon.com/category/security/cyber-attacks-statistics/

Share

submit to reddit

About Anu Tirupathi

Anu Tirupathi is a Principal Enterprise Analyst at Intellectual Ventures. Anu is very passionate about work related to data strategies, data quality and other data management practices. She has spent more than 10 years on this topic and continues to have the thirst to learn more about data. Anu spends her leisure time hiking and spending quality time with her family. Anu can be reached on Linkedin or via email at anuradha.t@gmail.com.

Top