Many years ago we worked with a person whose default position on a surprisingly large variety of issues and tasks came down to something like, "If you don't do things this way, the IRS can fine our company (or the CEO personally)." Now, this was long enough ago that the IRS had something closer to a full complement of agents, but it still had much bigger fish to fry. So, it didn't do all that well as a bogeyman in that situation. And even if the threat had been plausible, we all know you don't get the best work from people with an all stick, no carrot approach.
We occasionally (but too often) hear about massive leaks, or data breaches, or ransomware attacks, and similar dreadful tales, and, of course, we should all be doing what we can to prevent those things from happening. But--for too many people, their data and information security experience has mainly consisted of being told their password isn't complicated enough, or that they can't have access to certain data because they haven't filled out a particular form in a particular way, or that their default position as data stewards should be to deny access to most data.
Whenever we hear these incidents used to justify aggressive lockdowns on data, we're reminded of our former colleague's constant worried refrain. It turns out that telling people they have to perform certain tedious tasks, often in a prescribed and unpleasant fashion, or some vague disaster will occur, doesn't work all that well. People have jobs to do, and they will find ways around security and procedural roadblocks if they feel those prevent them from doing their job.
With this in mind, our approach, over the years, has not generally focused on selling data governance as a way to protect, secure, or otherwise keep data "safe." We will occasionally refer to the need to comply with data protection regulations, or the desire to avoid getting sued or robbed, but in general our approach to data governance has been to emphasize how data governance, done properly and consistently, helps ensure that data is made available appropriately but widely across organizations and business units.
This challenge is often described as "finding a balance" between data access and data security, and, to be honest, we're not sure how useful that description is. If data security practices prevent users from accessing data that would be useful, then, whatever that is, it is not data security.
We want to prevent data from being misused. But it's just as important, if not more important, to ensure that data is used to our advantage. But why not do both? When it comes to protecting data, there are plenty of practical, proactive, enabling steps that you can take, and in most cases taking them will turn out to be uncontroversial.
- The first step might be to catalog your data systems, applications, and tools. What kind of data is stored or viewed in each of them? Which office or business unit is responsible for collecting, storing, and maintaining that data? What security features or policies are already being applied to them?
- A natural next step might be to look at how the data assets associated with these systems are being stewarded. The most visible assets will be reports, dashboards, visualizations, publications, etc., but other key ones include processes that move or archive data (integrations, ETL/ELT, snapshots, backups). Each of these assets is made up of smaller assets, on down to the data element level: who is responsible for them, what does that responsibility look like, what support or training is available to them, etc.
- For data assets of all kinds, what sort of data classification protocols do you have in place? A rigorous classification scheme identifies at a glance what users can do with data. Who can view it? Who can it be shared with? Once shared, what can be done with it? How long do we keep it? What risks do we run simply by collecting it, and do we run additional risks by using it in our business?
- Data sharing agreements are also data assets (data artefacts?). We often think of these as contracts that specify how, when, and in what shape data will be shared with a third party, but in fact we all operate under largely informal data sharing agreements within our own organization.
- Data quality issue reporting & assessments probably fall outside the scope of security-minded data governance work, but it's certainly possible that a large enough data quality issue could be evidence of a breach or attack, or some form of corruption.
Crying wolf has long been understood to have diminishing returns, at best. But sometimes the sky is actually falling! We met a potential customer last week whose organization really did have a ransomware attack this year. Many, many large companies admit, with surprising regularity, that some elements of their customer data have been taken without their knowledge or permission. Laws and regulations are, on occasion, enforced. So securing and protecting data is indeed part of an organization's data management and governance remit.
And it's true that some systems are not sufficiently hardened against hackers, outside attacks, or other malfeasance. But far too many data horror stories come from people not following guidelines or protocols, in many cases because people don't know they exist, they don't understand what they mean or which data they cover, or because it's too onerous to abide by the regulations.
When those regulations are built by cataloging and documenting data assets, by classifying and stewarding data artefacts, and when people throughout an organization have a full understanding of the scope, span, utility, and availability of data, then the experience is not one of somebody outside our office imposing data barriers that prevent us from getting our job done. The experience instead should be one of having access to the tools, applications, data sets, and data stewards that enable all of us and all of our colleagues to make the best use of our data resources.
Our tool, the Data Cookbook, provides easy access and entry to users to build those catalogs and store that documentation, and to explain in plain English (or whatever language your organization speaks) where to find data, how to understand it, and what the impact of use or abuse will be. It helps enable data security and protection holistically, through understanding, transparency, and collaboration.
Hope you found this blog post useful. IData has a solution, the Data Cookbook, that can aid the employees and the organization in its data governance, data intelligence, data stewardship and data quality initiatives. IData also has experts that can assist with data governance, reporting, integration and other technology services on an as needed basis. Feel free to contact us and let us know how we can assist.
(image credit: StockSnap_VG49081NDD_securitycameras_stewardeddata_BP #1263)