Could cybercrime cost the world $6 trillion by 2021? It’s an unprecedented threat, and it demands that large organizations, the entities with the most money and information at stake, lead the way with a sophisticated, innovative, pragmatic approach to cybersecurity.
Today, that means handing the reins to an executive who appreciates the totalizing nature of cyber threats and understands how they attack technological weaknesses, someone who can patch code while championing solutions across the company. It’s a job suited for one person: the chief data officer (CDO).
The Convergence of Data and Cybersecurity
Ten years ago, data began an evolution that made some wonder whether the scientific method was obsolete. Unprecedented amounts of raw data were streaming through digital systems. How would large organizations manage? According to Gartner, 90% of them would hire a CDO by 2019.
Meanwhile, everyone was using the same hardware and software to shop, chat, and bank. Troves of ordinary peoples’ personal identifiable information (PII) risked exposure. As cybersecurity expert Bruce Schneier said in 2009, “Cybersecurity isn’t a military problem, or even a government problem—it’s a universal problem.”
A decade later, the world faces a whole new crop of cyberthreats: huge data breaches, election hacks, ransomware in the cloud, the weaponization of AI, cryptocurrency mining, cyber-physical attacks. Keeping up with the criminals, let alone stopping them in their tracks, demands constant attention to a shadowy, anonymous, evolving enemy—and to the powerful data on which it feasts.
The Never-Ending Threat of Cybercrime
Last year, the WannaCry ransomware attack and Equifax data breach grabbed the biggest headlines in the English-speaking world. That’s what happens when PII is exposed in Britain’s National Health Services (NHS) and in one of the largest credit bureaus in the U.S. Similar to the notorious Yahoo breach—still the biggest in history, with 3 billion user accounts exposed—the immensity of the attacks attuned the public to the severity of cybercrime.
Yet these represented a fraction of the nearly 1,300 U.S. data breaches last year. Even worse, the total represents a 21% increase from the year before. The only thing that remained constant was the concentration: The vast majority of breaches occurred in the banking (50%) and medical and healthcare (28%) industries.
When nefarious criminals target large institutions, sometimes they make off with half-a-billion dollars in cryptocurrency, as was the case in the recent hack of Japan’s Coincheck exchange. But usually they take sensitive data to sell on the dark web. That’s where Social Security numbers, for instance, become conduits to all types of identity theft: applying for fake loans, opening fake credit cards, filing fake tax returns, taking over accounts.
These are the downstream activities that implicate innocent individuals—and send the cost traveling back up to the legitimate businesses caught in the crosshairs. A person receives a bill for thousands of dollars of purchases never made. Fraud is determined, but who bears the cost? Merchants that want to keep customers often find themselves tussling with banks over responsibility.
Just a single act of cybercrime contains layers of damage. Organizations that allow it to happen could find themselves dealing with angry customers, pleading for public trust, and entering uncharted legal territory for years to come. It would behoove them to take the threat as seriously as possible.
Cybersecurity Failures Are Leadership Failures
In the aftermath of the WannaCry and Equifax attacks, the worst part was learning that both could have been prevented. The WannaCry worm entered the NHS systems and infected it with ransomware by breaching outdated trusts. Three years before, NHS Digital had sent critical alerts urging the organization to migrate away from its flaws. The warnings went unheeded, and there was no accountability assessment in place to track this failure.
The Equifax breach was somehow worse. The company should have performed a routine update the moment it learned about a bug in its web application software. For unknown reasons, it didn’t. The breach happened mere months later. It had been eminently preventable.
In both cases, the underlying failure was not of technology but management. Data and information professionals fixed problems on their end. They even informed the supposedly correct parties of their fixes. Yet the critical nature of their fix did not make its way to the relevant stakeholders. Or maybe the right people were aware of the problem but did not see the value in fixing it. Or, most alarmingly—the information simply got lost in the chain of command?
How the CDO Is Uniquely Poised to Win on Cybersecurity
In the past, cybersecurity would get dumped on the CIO or would be the domain of a security chief. But if cybersecurity is about protecting the asset of information, and information in a digital universe is data, then only someone with a keen understanding of data should be addressing threats to information systems.
Last year, roughly 111 billion new lines of code were written in order to keep our world running. When those lines of code allow companies to sell goods and services, to run machines and print objects, the code must be secured across multiple systems.
CDOs are uniquely poised to understand the nuances of supply chain of data. Having lived the evolution of data storage and management—from ERP to intelligent master data management to laser-based storage—they know how to keep separate data in separate systems, to grant the right permissions, and issue the right amount of governance that strikes the balance between security and flexibility.
Having witnessed the nexus of big data, AI, and machine learning, CDOs know how to embrace sophisticated tools that can discover minute anomalies in systems and flag them for untrusted intruders. Well-versed in the history of authenticated encryption, they can direct discussion on the most technical components of trust and security.
But CDOs are not in the C-suite to focus on moving raw information. They are there to use data to improve business practices with an eye toward ROI. They understand that raw data is the company’s lifeblood but does not reach maximum value until it can be used to achieve revenue-driven ends. Having tons of datapoints perfectly organized achieves little if companies aren’t using that data to scale in smart, shrewd ways.
This is the unmatched blend of tech savvy and business savvy that the CDO brings to executive leadership. After GDPR comes into effect, a CDO will know that it applies to any company that has a single customer in the EU, which means practically every large U.S. business, and that Chapter 4, Article 33 requires companies to report personal data breaches within 72 hours of becoming aware of them. The CDO understands how to create a plan of action that ensures cybersecurity patches don’t get lost in the bureaucratic pipeline.
CDOs will, of course, face roadblocks, particularly in realms of legacy resistance and value quantification. But their diverse wealth of knowledge and experience makes them uniquely poised to clear the hurdles—something they’re already doing. According to a recent survey from Gartner, CDOs are delivering business impact and enabling a full digital transformation.
Key to that transformation is cybersecurity. The exposure is too great. The average Fortune 500 company employs more than 49,000 workers (53,000 if you include Walmart’s 2.2 million workers). All a hacker needs is one of them to click on one malicious link in a single phishing campaign.
With the dark web having gone corporate, the incentives for crime have become more polished, more lucrative. Businesses need a leader who knows how to keep data out of criminals’ sight—and how to get everyone on board.