Data is Risky Business: The Darker Side of Data Monetization

We have seen an impressive amount of hype and hoopla about “data as an asset” over the past few years. And one of the side effects of the COVID-19 pandemic has been an acceleration of data transformation in organisations of all sizes. But data management teams in organisations often still struggle with how to communicate the real value of data to organisations. How do we put a value on data so that the budgets we need to fund the proper management, governance, and husbandry of this core asset?

United Airlines has famously leveraged its customer loyalty database to underwrite borrowings to keep them ticking over during global travel restrictions. They raised $5 billion against a valuation of $22 billion on their loyalty database. This is a great example of data valuation and data monetisation, but it’s not exactly compelling to a smaller business that doesn’t have such a data asset at their disposal. The message that is all too often taken away from vignettes such as this is “we need to spend money on getting us some customer data and putting it in {insert name of tech de jour} to monetise it.”

Of course, fans of the TV show South Park will recognise this as the classic “Underpants Gnomes” business model. First we take all the underpants, Question Mark, PROFIT!!

Do Not Underestimate the Power of the Dark Side

But there is a darker side to data monetisation and data valuation that has trended upwards over the past year. Globally, successful ransomware attacks have grown by triple digit figures. In the United States, we have seen industries as diverse as Colonial Pipeline and various healthcare providers being attacked and effectively shut down for days, if not weeks. Closer to home for me, the Irish Health Service Executive (HSE), our national public health service, is still recovering from a ransomware attack that has required them to rebuild the entire IT estate of the organisation from hardware upwards over the past month.

A month on, and the Irish health care system is still struggling to recover. And potentially the personal data and sensitive medical data of every single person who has been treated in the Irish health care system has been copied and is being traded in the dingy back alleys of the internet.

The fact that the criminal enterprises (and the perpetrators of these attacks are both criminal and professional businesses) have decided that crippling health services in pursuit of ransom tells us all we need to know about their morality and ethics.

But there is an important lesson here: If we don’t value our data, the bad guys will.

What Else Should We Learn?

When an event like a ransomware attack hits an organisation, it is akin to all the technical debt and data governance debt you have built up being called in overnight.

What data is compromised? What processes are impacted? What will the impact be on customers, staff, and other stakeholders? Do we have backups? Are they complete? Have they been tested? How long will it take us to recover?

This is why governments around the world are calling for business leaders to take urgent action to counter the ransomware threat. Note: the call is for business leaders to act, not for IT managers to do something. This is a business issue, an economic risk, and a societal crisis. And it is an issue that requires data to be understood in organisations as a mission critical asset class and not conflated with the technology that is used to process, move, and manage that data. More than that, it’s an issue that requires business leaders, regardless of the size, scope, or industry we are operating in, to develop an understanding and basic levels of data literacy and data competencies.

And this is my concern. We aren’t learning this fast enough. And as organisations start to normalise their data transformation shift that was driven by the COVID-19 pandemic and as the momentum for data transformation in organisations of all sizes starts to pickup as we begin to restart the world, I see the same fundamental mistakes, gaps, and weaknesses in organisations as I saw twenty years ago when I started on my journey in data management in the aftermath of Y2K.

Working with a client recently, my team was asked to provide some scoping advice on data quality remediation in their CRM system to make sure they could use it more effectively and begin to implement a strategy of process optimisation and automation. When did the review, we saw classic problems of no data definition, a flat data model that contained multiple fields for the same fact, and ad hoc governance. What we found was evidence of technical debt and data governance debt that was holding the business back. What we didn’t see was a coherent data strategy or any concept of a business data model. Thankfully, this client recognised the pernicious influence of the Underpants Gnomes and knew they needed to figure out what the “Question Mark” was that could turn their data underpants into profit. But while they knew they had to do something, they didn’t know what that was or how to go about doing it (but we can help them with that).

In the Irish HSE, the last few weeks have been an uphill struggle as the organisation was reset to the data management capabilities of the 1980s. While certain services have been cancelled (like chemotherapy) and while it is taking longer to get basic medical tests completed, thankfully the COVID vaccine rollout has been largely unaffected. But more telling is a recent radio interview with frontline staff in one area of the Health Service posed the question as to how badly they had been affected. The response was simple. This area has had no investment in new technologies or processes in over fifteen years and was still almost entirely paper-based. So, the impact of the ransomware attack on their day-to-day operations was negligible. While the criminal gang had effectively bombed many of their colleagues back to the digital stone-age, they were already there.

What can we learn from these two vignettes? Investment in data is necessary, and that will often require investment in supporting technologies and people skills and competencies. Knowing what to invest in is essential. That means understanding our business processes and the critical information flows in our organisations. We need to invest in foundations. Data foundations like business data models, business data glossaries, information inventories, backup and recovery strategies, data retention and disposition plans, data quality, and data strategy. People foundations like data literacy at appropriate levels relevant to people’s roles, change management, and developing a clearly communicated vision for the value of data to our organisations.

Building Back Better

If we don’t get these foundations right we will not be able to build back better.

The promised benefits of data transformation arising from and accelerated by the COVID-19 pandemic will fail to materialise. Historically, the failure rates for data transformation, CRM, or ERP projects are crushing. Because the foundations aren’t there and the technical debt and data debt we let build up offsets any benefit.

And if we don’t get our foundations right, the walls we build to keep bad guys out and data safe will be unsound and full of holes. We need to build back better.

If we don’t value our data now, it is inevitable that bad guys will put a value on it for us in the future.

Share this post

Daragh O Brien

Daragh O Brien

Daragh is the Founder and Managing Director of Castlebridge, a leading Information Governance, Privacy, and Strategy consultancy based in Ireland. He has a degree in Business & Legal Studies from University College Dublin, and is a Fellow of the Irish Computer Society. Prior to founding Castlebridge, Daragh worked for over a decade for a leading Irish telecommunications company in roles as diverse as Call Centre operations, Single View of Customer Programme management, and Regulatory Compliance and Governance. He a regular presenter and trainer at conferences in the UK and worldwide. Apart from his consulting and education work, Daragh is also Data Privacy Officer for DAMA International, a faculty member at the Law Society of Ireland, and a contributing research partner to the Adapt Centre in Trinity College Dublin. He lives in Wexford in the South East of Ireland and can be reached at daragh@castlebridge.ie or on twitter: @daraghobrien. In 2016, he was ranked by Onalytica as the 24th most influential person on Twitter in Information Security (including Data Governance and Data Privacy).

scroll to top
We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept