CUTTER BUSINESS TECHNOLOGY JOURNAL VOL. 31, NO. 1
Data governance, although not a new practice, is more critical than ever, according to Cutter Senior Consultant Claude Baudoin. A recent increase in privacy breaches, Internet of Things (IoT) data generation, and data residency challenges enforces the urgency to prioritize and address vulnerabilities and formulate a governance plan to responsibly manage enterprise data.
Given all the attention devoted to data in information systems since at least the 1960s, the titular question may seem strange or silly. You may also remember the sudden popularity of the “chief data officer” (CDO) role a few years ago1 as proof that we didn’t wait for 2018 to address the need to apply governance principles to data. So why would 2018 see this subject return to the front stage? Let’s begin with three specific reasons.
The Return to Data
1. Focus on Privacy
Each of the past several years has seen breaches of security resulting in the release of personally identifiable information (PII). The Equifax accident was notable in 2017 because of the sheer number of records affected — 143 million, more than half the adult population of the US!
And that’s not all. In May 2018, the EU’s General Data Protection Regulation (GDPR) will come into effect. GDPR imposes strong restrictions — and potentially huge fines in case of violations — on organizations that store PII of citizens of the EU (500+ million people in 28 countries, including the UK for now). Management and IT consulting firms are already ramping up their offerings on how to achieve GDPR compliance.
2. Internet of Things
When devices first began capturing data and exploiting it only within a limited perimeter and in a fleeting manner, few people paid attention. Now that devices are connected to the Internet — and the data they capture is being moved to the cloud to feed big data analytics and machine learning algorithms — the questions of who does what with that data, and where and when, become much more consequential. This relates to privacy, of course, but also to my third reason, data residency.
3. Data Residency
Companies — and their lawyers — are waking up to the fact that with 200 countries in the world, some of which are federations without uniform laws, as well as supranational entities like the EU and various regulations buried in trade pacts, storing data in another country or jurisdiction (e.g., by using a cloud service) or perhaps just moving it through another country, could violate a law even if the data does not contain PII. Many countries forbid banks to store data outside their borders, and a few treat natural resource data (e.g., data on oil reserves) as another form of “sovereign data,” whose export constitutes a crime. In fact, a recent report by the Object Management Group (OMG) on data residency states that ignorance or neglect of this issue poses an existential risk to the IT services industry.
This trifecta poses significant challenges as we enter the new year. CIOs — or, for that matter, CEOs or boards of directors — who do not understand the risk posed to their organization if they cannot answer the question, “It is 10 pm, do you know where your data is?”2 are at great risk of jeopardizing their organization’s existence and, of course, their own careers.
So what should an organization do in 2018 to address these issues?
Model Your Data
You cannot manage your data if you do not know what it is, what parts of it are sensitive, or where it is located. You need to map all your data assets. It is a huge task if it hasn’t ever been done, but it is critical. Some side benefits will be to detect integration issues, the need for master data management, and more. But the immediate goal is to understand what data poses security, privacy, and data residency challenges, and then prioritize and address vulnerabilities.
Review Cloud, Outsourcing Contracts
Under GDPR and other laws and regulations, the owners of the data cannot abdicate their compliance responsibility under the pretext that that responsibility is the data custodian’s (e.g., a cloud storage or data center provider). In addition, it is becoming too risky to sign a cloud service agreement that does not specify that the customer is informed when its data is moved across jurisdictions, or when a security incident has been detected. For more guidance on these topics, see the various free guides from the Cloud Standards Customer Council (CSCC).
Bridge the OT/IT Chasm
In industrial companies, the IoT is often an extension of earlier control systems that functioned within disconnected silos. The “operational technology” (OT) owners of these systems rarely communicated with the IT organizations and, in fact, often didn’t need to because their control systems used special-purpose computers, operating systems, and network protocols.
Now that many IoT systems are general-purpose computers connected to the Internet, OT people cannot ignore the skills and concerns of IT, yet they still fear the intrusion into their affairs of generic IT personnel who lack a deep understanding of their special requirements. The two organizations (in fact, while IT is often centralized, OT has sprung up organically in each line of business, so we’re talking about more than two departments) need to collaborate and find the right combination of rigor and agility before an accident happens.
Put Governance in Place
What does it mean to put governance in place? For starters, decide who oversees the data. Is it the CIO, is it a separate CDO (who reports to whom?), or someone else? Then, start thinking about the policies you need — for your IoT data, for PII, for IT service contracts, and so on. Write those policies, get them approved, train people on them, and keep them simple. Next, use a recognized responsibility assignment methodology — RACI, or one of its derivatives — to decide who does what. If you want to tie those policies and organizational matters to IT management frameworks like COBIT or ITIL, fine — but just asking a mid-level IT manager to adopt ITIL 2011 is not going to solve the high-level problem of responsibly managing the organization’s data (and that of its customers or employees).
1The first known CDOs were named at Capital One in 2002 and Yahoo! in 2004, but it was not until 2012 that the role became more generally known. It’s still worth noting that the need for a CDO is not universally accepted: it seems to contradict the middle initial of the CIO title. The blunt response of the CIO of a major financial institution, when questioned about one of the articles proposing this role, was “I thought I was in charge of the <bleep> data!”
2 This is one of many imitations of a public service announcement used during evening news TV programs in the 1960s in the US.