NEW TECHNOLOGIES, NEW TROUBLES
Emerging, open, or highly connected technologies—such as data lakes and the Internet of Things (IoT)—also mean challenges to data governance. “There is a greater risk that someone else’s problems will become yours as well,” said Quinn. “You should evaluate what obligations you have with regard to your customers’ data and whether you can make those part of any contracts you enter.”
The introduction of IoT devices “further extends an organization’s ability to collect personal data,” said Pote. “And with greater reach into data privacy comes additional privacy and compliance obligations.”
Data governance and management help ensure that data lakes don’t turn into data swamps, said Sellers. “Operational or integration-level inaccuracies, diverse data sources, compliance issues, and real-time access and updates can all muddy data quality and defeat the purpose of your data lake.” This creates risks “in data compliance as well as long-term business impacts including disengaged customers, missed opportunities, brand value erosion, and poor decision-making.” She urges looking at data mesh—“a decentralized, domain-driven approach to data management.”
ADDRESSING THE PROBLEM
Having an unobstructed view of where data is originating and where it’s being consumed is an important step to addressing these issues. Here are experts’ recommendations on managing and aligning data with the pressing requirements of business:
- Understand your data ecosystem. “We need to lead this by understanding how the data is being used and ensure there are clear definitions, security, and access rights,” said Morakabati. “We need a cross-functional governance structure with standard practices to efficiently manage data and embrace end-to-end accountability for the data. This requires that we—as CIOs and IT professionals—understand the data that drives most of the business’s practices and processes, as well as how it is protected. For many organizations today, this is a gap we need to close.”
“Take inventory of your data ecosystem, to understand exactly where all your data is and who has access to it,” said Jerod Johnson, technical evangelist at CData Software. “Once that knowledge is in place, the next step is implementing secure data pipelines or data connectivity across your ecosystem. With the right data connectivity tools, teams can ensure that the right users have access to the right data, with user permissions carefully controlled and monitored, and IT teams can manage a single point of data access for all business users in the cloud.”
Cantu-Park urges that data managers “ruthlessly map their data and flows,” to “ensure each data asset is understood for its sensitivity and that it has an appropriately named custodian who can champion the controls around this data.” A clear understanding of what data is actually needed is also key, he added. “This should be driven by executive functions defining the data questions that need answering and building and maintaining the data and business intelligence team who are able to subsequently answer them.”
As part of the data identification exercise, “map the data to business processes,” Pote advised. “And then consider whether the data collected and handled is critical to the business process. Is data being used effectively? Do these business processes drive business objectives? If the answer is ‘no’ to these questions, then there is an opportunity to minimize data, and minimize data privacy and compliance obligations.”
- Security first. Security needs to always come first, said Quinn. Questions around security should include, “What security do you have in place? What remedies, including backups, do you have in place for after a breach?” Quinn said. “Next, determine what you need to do to implement better security and recovery. Will you be able to easily access and restore the backups if your main systems are breached? Finally, put those measures in place and wait for them to be put to the test. Regardless of whether they work or not, each time they are tested is an opportunity to reassess your security and response plan.”
The post-pandemic world “has become riddled with cyberthreats that have the capacity to cripple enterprises,” Russell warned. “To mitigate risks, organizations should adopt data protection and backup solutions. Keep at least three data copies stored on at least two different forms of media—one offsite, one offline—and create a backup recovery plan to prevent financial and reputational damage. In other words, businesses should practice data immutability to balance out risk with reward. Current threat vectors also indicate that organizations have at least one copy that is offline, air gapped, or immutable.”
- Engage the entire enterprise. Beyond security, it’s important to understand that data is an organizational asset in which everyone needs to play a role in governing and managing. “To align the data and the business you need communication,” said Fritchey. “The people responsible for the technology need an understanding of what the business really does and really needs. The business needs to be able to understand what the technology, especially what the technology your organization can currently support, can do for them. While it sounds simple, it really isn’t. Each group tends to speak a different language. You’ll have to work at understanding each other in order to better support each other. To me, that’s the key.”
- Elevate the roles of IT and data managers. This calls for redefining the roles and responsibilities of IT and data management professionals as well. “Data is at the intersection of every function in a company, so data scientists and data-minded IT professionals can no longer be purely technical,” said Morakabati. “While CIO and CISO may take the lead on data security and protection, we can’t expect the business to understand the bits and bytes of the data. We need to work cross-functionally across the business to build this strength and understanding of the data environment to ensure the data is available when you need it.”
IT and data management teams “can provide assurances that data is aligned to the needs and requirements of the business by working closely with line of business users to better understand their needs,” said Johnson. “Open communication and regular evaluation of the data ecosystem can help teams make data-driven decisions about how to best provide access to the business data used to derive the actionable insights that drive businesses forward. Democratizing data access helps businesses explore their data easily and quickly to understand any gaps in knowledge.”
- Review often and ask questions. An annual review of data protection measures and breach response plan “will make all the difference in making sure data is aligned to the needs of the business,” said Quinn. “Because of how fast threats develop, this is not something where you can simply set it and forget it. Regular reevaluation helps you recognize the data you are collecting, the measures you are taking to store and protect it, and, ultimately, the price you pay for doing so.”
Questions that need to be asked should come from the top down, and include: “What are your business goals? Which data assets can validate your business goals and steer your business?” said Graupmann. From a user perspective, questions that need to be asked include: “Which data assets do I have and how can these additionally contribute to my business goals?”
- Educate. Measures such as training, educational resources, and workshops are also important, said Russell. “Training and education will prepare employees to keep an eye on the horizon for any anomalies in data alignment. Zero trust policies will enhance that effort—where human error still poses a threat. Adopting a zero-trust approach means companies will be able to cover all bases that could impact data alignment.”
“Governance is the key to ensuring that company data is a consistent, secure, and organized asset that aligns with policies and standards,” said Sellers. “Proper data governance will ensure that data has integrity and doesn’t get misused or abused. When implementing a governance strategy, companies should do a thorough audit to confirm how data is moving and who is receiving the data on the other side. With that information, safeguards can be put in place to ensure data stays secure and compliant amidst changing regulations. Once it’s known what safeguards are required, the company can update its contractual language, implement new policies, and ensure the new changes are documented internally.”