Navigating the High Stakes World of Governance, Security, and Regulatory Compliance

<< back Page 2 of 2


Emerging, open, or highly con­nected technologies—such as data lakes and the Internet of Things (IoT)—also mean challenges to data governance. “There is a greater risk that someone else’s problems will become yours as well,” said Quinn. “You should evaluate what obliga­tions you have with regard to your customers’ data and whether you can make those part of any contracts you enter.”

The introduction of IoT devices “further extends an organization’s ability to collect personal data,” said Pote. “And with greater reach into data privacy comes additional privacy and compliance obligations.”

Data governance and management help ensure that data lakes don’t turn into data swamps, said Sellers. “Oper­ational or integration-level inaccu­racies, diverse data sources, compli­ance issues, and real-time access and updates can all muddy data quality and defeat the purpose of your data lake.” This creates risks “in data com­pliance as well as long-term business impacts including disengaged custom­ers, missed opportunities, brand value erosion, and poor decision-making.” She urges looking at data mesh—“a decentralized, domain-driven approach to data management.”


Having an unobstructed view of where data is originating and where it’s being consumed is an important step to addressing these issues. Here are experts’ recommendations on managing and aligning data with the pressing requirements of business:

  • Understand your data ecosystem. “We need to lead this by under­standing how the data is being used and ensure there are clear definitions, security, and access rights,” said Morakabati. “We need a cross-functional governance structure with standard practices to efficiently manage data and embrace end-to-end account­ability for the data. This requires that we—as CIOs and IT profes­sionals—understand the data that drives most of the business’s prac­tices and processes, as well as how it is protected. For many organiza­tions today, this is a gap we need to close.”

“Take inventory of your data eco­system, to understand exactly where all your data is and who has access to it,” said Jerod Johnson, technical evan­gelist at CData Software. “Once that knowledge is in place, the next step is implementing secure data pipelines or data connectivity across your ecosys­tem. With the right data connectivity tools, teams can ensure that the right users have access to the right data, with user permissions carefully controlled and monitored, and IT teams can manage a single point of data access for all business users in the cloud.”

Cantu-Park urges that data man­agers “ruthlessly map their data and flows,” to “ensure each data asset is understood for its sensitivity and that it has an appropriately named custodian who can champion the controls around this data.” A clear understanding of what data is actu­ally needed is also key, he added. “This should be driven by executive functions defining the data questions that need answering and building and maintaining the data and business intelligence team who are able to sub­sequently answer them.”

As part of the data identification exercise, “map the data to business pro­cesses,” Pote advised. “And then consider whether the data collected and handled is critical to the business process. Is data being used effectively? Do these busi­ness processes drive business objectives? If the answer is ‘no’ to these questions, then there is an opportunity to mini­mize data, and minimize data privacy and compliance obligations.”

  • Security first. Security needs to always come first, said Quinn. Questions around security should include, “What security do you have in place? What remedies, including backups, do you have in place for after a breach?” Quinn said. “Next, determine what you need to do to implement better security and recovery. Will you be able to easily access and restore the backups if your main systems are breached? Finally, put those measures in place and wait for them to be put to the test. Regardless of whether they work or not, each time they are tested is an opportunity to reassess your security and response plan.”

The post-pandemic world “has become riddled with cyberthreats that have the capacity to cripple enterprises,” Russell warned. “To mitigate risks, orga­nizations should adopt data protection and backup solutions. Keep at least three data copies stored on at least two differ­ent forms of media—one offsite, one offline—and create a backup recovery plan to prevent financial and reputa­tional damage. In other words, busi­nesses should practice data immutability to balance out risk with reward. Current threat vectors also indicate that orga­nizations have at least one copy that is offline, air gapped, or immutable.”

  • Engage the entire enterprise. Beyond security, it’s important to understand that data is an organizational asset in which everyone needs to play a role in governing and managing. “To align the data and the business you need communication,” said Fritchey. “The people responsible for the technol­ogy need an understanding of what the business really does and really needs. The business needs to be able to understand what the technology, especially what the technology your organization can currently support, can do for them. While it sounds sim­ple, it really isn’t. Each group tends to speak a different language. You’ll have to work at understanding each other in order to better support each other. To me, that’s the key.”
  • Elevate the roles of IT and data managers. This calls for redefin­ing the roles and responsibilities of IT and data management pro­fessionals as well. “Data is at the intersection of every function in a company, so data scientists and data-minded IT professionals can no longer be purely technical,” said Morakabati. “While CIO and CISO may take the lead on data security and protection, we can’t expect the business to understand the bits and bytes of the data. We need to work cross-functionally across the business to build this strength and understanding of the data environ­ment to ensure the data is available when you need it.”

IT and data management teams “can provide assurances that data is aligned to the needs and requirements of the business by working closely with line of business users to better understand their needs,” said Johnson. “Open communication and regular evaluation of the data ecosystem can help teams make data-driven deci­sions about how to best provide access to the business data used to derive the actionable insights that drive busi­nesses forward. Democratizing data access helps businesses explore their data easily and quickly to understand any gaps in knowledge.”

  • Review often and ask questions. An annual review of data protec­tion measures and breach response plan “will make all the difference in making sure data is aligned to the needs of the business,” said Quinn. “Because of how fast threats develop, this is not something where you can simply set it and forget it. Regular reevaluation helps you recognize the data you are collecting, the measures you are taking to store and protect it, and, ultimately, the price you pay for doing so.”

Questions that need to be asked should come from the top down, and include: “What are your business goals? Which data assets can validate your business goals and steer your business?” said Graupmann. From a user perspective, questions that need to be asked include: “Which data assets do I have and how can these additionally contribute to my busi­ness goals?”

  • Educate. Measures such as training, educational resources, and work­shops are also important, said Rus­sell. “Training and education will prepare employees to keep an eye on the horizon for any anomalies in data alignment. Zero trust policies will enhance that effort—where human error still poses a threat. Adopting a zero-trust approach means companies will be able to cover all bases that could impact data alignment.”

“Governance is the key to ensur­ing that company data is a consis­tent, secure, and organized asset that aligns with policies and stan­dards,” said Sellers. “Proper data governance will ensure that data has integrity and doesn’t get misused or abused. When implementing a gov­ernance strategy, companies should do a thorough audit to confirm how data is moving and who is receiving the data on the other side. With that information, safeguards can be put in place to ensure data stays secure and compliant amidst changing reg­ulations. Once it’s known what safe­guards are required, the company can update its contractual language, implement new policies, and ensure the new changes are documented internally.”

<< back Page 2 of 2