Risk Changes the Data Governance Game

The speed of change is so quick that it is easy to forget that modern, mainstream technologies and business practices are often still relatively young. For example, that smartphone in your pocket didn’t exist 12 years ago. Neither did the widespread term that has become common in the boardroom and vital to modern businesses: data governance.

Data governance refers to the set of people, processes, and technologies required to ensure that data is managed as a corporate asset. The standard methodology of data governance involves making sure a company’s data is always available, secured, and providing value to the business throughout its lifecycle.

The initial business cases for adopting data governance as a standard operational protocol included a growing information overload problem, and the realization that there was both opportunity and risk involved with the exponential growth in data volume available to companies. With the adoption of the internet and other technology, suddenly there was the opportunity to derive valuable business intelligence from this data, and the risk of potential legal exposure stemming from unmanaged, undiscovered data falling into the wrong hands.

Around 2005, in the earliest days of data governance, the term was defined as “data in databases that we control.” This definition has changed wildly in the intervening years, thanks to the proliferation of smart phones, cloud computing, and the Internet of Things, as well as the need to be able to manage unstructured data—another term for information that is not held in databases. It has further evolved thanks to new definitions proposed by standard-setting organizations that recognized the increased value of data sets. All of these factors have made data governance more difficult because of the increased volume and variety of data, and the velocity at which data is generated, stored, and mined for insight.

New, strict privacy regulations such as the European General Data Protection Regulation (GDPR) and California’s Consumer Protection Act, paired with the ever-expanding and complex threat landscape, make meeting the goals of data governance more difficult than ever for those charged with the task.

A New Force Driving Data Governance

Data governance evolved over time into a set of competencies, as can be seen by the Data Management Association’s functional data governance framework. Successfully implementing these functions would give organizations the ability to effectively manage the data deluge that companies have come to expect and to derive powerful new competitive advantages through the use of business intelligence (BI) and analytics.

Today, however, the objective of data governance is changing once again, as enterprise security risk becomes a tier-1 board concern and data security and compliance emerge as two of the greatest sources of this risk for companies.

This introduces two problems:

• Data risk has traditionally been the purview of legal departments, and their primary set of controls for mitigating that risk fall under the umbrella of data lifecycle management. Today’s most pressing data risks fall outside that competency. Data breaches are commanding headlines, and regulations with biting enforcement teeth continue to emerge. Those changes have led regulators and the public to look to the board and other senior executives to answer for a company’s mismanagement of data.
• Most organizations’ approach to managing data access is woefully insufficient. Identity and access management (IAM) programs are often administered at the project level, rather than the enterprise level, leaving large volumes of data without sufficient access controls. This lack of control opens a veritable Pandora’s box of security and compliance risks. It is impossible to build walls around data any more. It is possible, however, to govern who has access to that data, and this is a competency boards must insist that their enterprises master if they want to conduct sound oversight of the related risks.

Overcoming these problems requires a change in mindset. “Classic” data governance has opened up a world of opportunity for businesses to benefit from BI, artificial intelligence (AI), and digital transformation. However, none of these modern advancements will deliver the anticipated benefits if implementing them opens up the enterprise to excessive risk.

Moving to Risk-Centric Data Governance

To reap the benefits of BI, AI, and digital transformation, organizations today must embrace a new model of risk-centric data governance, and the board can help those leading the data governance function by pressing for change. This is how organizations can overcome the two challenges articulated above:

• Data governance can no longer be dominated by legal departments. This function should be driven by a committee or council of management and key business leaders that includes stakeholders from across the organization (in human resources, in information technology, in legal, the chief information security officer, executive leadership, and so on). This will ensure that data governance programs effectively meet the complex needs of the business today, while also “future-proofing” the program from falling out of step with evolving business requirements as time goes on. A chosen leader of this council can then report to the board on progress, challenges, and emerging risks identified by the group.
• IAM programs must become strategic enablers for the entire business. As mentioned earlier, IAM has historically been implemented at the project level, with specific applications and business units. This has to change. Just as many companies rely on enterprise resource planning systems to run their businesses, they should rely on IAM systems as the heart of enterprise data governance. Doing so will provide assurance that only the right people access the right data for the right purposes. This is the single most important control companies can implement to reduce enterprise risk from data breaches and compliance violations. Without effective IAM, digital transformation efforts will result in massive new vulnerabilities that can potentially cripple a business. The board should ask about the organization’s IAM practices, and insist that management strengthen its use of IAM tools as a first line of risk mitigation.

Data is the currency of business today. It is also the greatest source of risk. By ensuring that the data governance leaders at your company adopt a risk-centric approach to data governance, companies can reap the full rewards of next-generation data initiatives without unintentionally introducing massive new sources of risk.

Julie Talbot-Hubbard is the general manager and global vice president for Identity & Data Management at Optiv. Interested in hearing more from Julie? Register to attend the 2019 NACD Global Board Leaders’ Summit. She will speak on an “Ask the Experts” panel on cybersecurity and data privacy.