The great data management conflict

How to secure, protect and exploit the value in your data?

 

 

x-icon

See how CIOs, CISOs and data specialists overcome their data management challenges

roo

Download the Report to learn

Bullet_Point_1
How to find a common understanding of what data actually is, or what it should be used for.
Bullet_Point_2
How toto see the strategic value of data when the conversation is dominated by privacy and security.
Bullet_Point_3
What CISOs, CIOs and data governance specialists in leading UK companies see their data management issues and their recommendations for overcoming the challenges.
 

The great data management conflict

Can you secure, protect and exploit the value in your data?

The strategic value of data versus the risk

One of the biggest challenges around organisational data is that there isn’t a common understanding of what data actually is, or what it should be used for.

Organisations can find it hard to see the strategic value of data when the conversation is dominated by privacy and security – it’s still about risk, and that’s where the budget comes from.

These organisations don’t know what to do with data because they don’t know what questions to ask to get the answers they need – they don’t even realise it could be an asset.

“My bank is doing what banks do - looking at where it makes sense to use data safely but not necessarily competing on data. Privacy is high on the board’s agenda, but not data.”

European Data Privacy Officer for a bank specialising in wholesale assets.

 

“Data isn’t a balance sheet item,”

Senior information management specialist for a large fintech organisation.

 

On the other side, those who work in data-centric organisations take a different view. The global VP Engineering & IT for a company in charge of £2bn
in customer data said,

“I have different issues. The challenge from our board is how do we use the asset we have as much as possible? How do we drive and empower the insights of our clients, so they know the next best step to take?”

 

And yet his concern is that the data could be over-indexed so that the ethics of how it’s used are called into question.

This is part of the issue that causes such a headache for businesses setting data management strategy and trying to balance the data value / risk equation. On the one hand there’s the CISO, whose objective it is to lock down and secure the organisation from threats. While at the same time the CIO may be trying to make data available in order to deliver new ways to uncover business value or deliver digital transformation. And the DPO is trying to put in place policies that protect data. So there’s a conflict around securing, protecting and using data.

In this report we examine how CISOs, CIOs and data governance specialists in leading UK companies see the priorities and their recommendations for overcoming the challenges.

Report methodology

The insights shared within this report were acquired during a roundtable discussion with a select group of data security specialists, from leading UK companies. The event was hosted by Exonar and chaired by its CEO, Danny Reeves, alongside James McCarthy, CMO.

Present at the event were:

  • Digital data director for a Government department.
  • Global VP Engineering & IT for a company in charge of £2bn in customer data.
  • Senior information management specialist for a large fintech organisation.
  • European Data Privacy Officer for a bank specialising in wholesale assets.
  • Independent fraud, risk and security specialist.

“What’s the strategic value to the business of data? What I’m hearing is that it’s still very much driven by security. Fear and risk are driving that. Very often organisations don’t know what they can do with their data. They don’t know what questions to ask to start the debate. Are organisations so focussed on privacy and security that no one’s thinking about it as a strategic asset?”

Danny Reeves CEO, Exonar

 

Step 1: Encourage collaboration

From the discussion at our roundtable it was clear that data is very much a black and white subject. Organisations are either hugely excited about the opportunity that data presents, or hugely defensive about it. There doesn’t seem to be much middle ground because unless data is the business, it’s not seen as a strategic asset, rather it’s something to protect.

As an independent fraud, risk and security specialist summed up the conflict,

“It’s an interesting split. Insurance is a good example of where the temptation to cross sell and manoeuvre data around has been too much. At the other extreme, organisations only see data as a risk, trying to rid themselves of sensitive data as soon as they can.”

 

The digital data director for a Government department summed up how important collaboration across teams and departments is in finding the balance between risk and reward.

“We asked ourselves how to put information out in the public domain. We didn’t know what would happen with it. We were worried it would be misused, but it’s had a great use for many people. Now our default position is to put out as much as we can, to date that’s 12,000 data sets. We need governance that’s ‘just enough’. The danger is we’re all trying to do things separately. So, we need to look collectively across departments and join up.”

 

Data as a risk

One of the biggest questions on all our guests’ lips regarding risk was: how can you protect what you don’t know exists?

“I don’t know what I don’t know,” said the senior information management specialist for a large fintech organisation. “There’s also the issue of data hidden in plain sight. We were paying a company to store our data and analyse it, but it turned out we had it all in Office 365.”

While the independent fraud, risk and security specialist took the issue to a much more personal level, saying, “As individuals we’re all guilty of not knowing what data we have. Who hasn’t said ‘Ooh, I think it’s in my email somewhere’?”

 

Every business is exposed

The discussion revealed that even data-driven businesses, for whom there is a firm view that data is an asset, struggle to keep track of the data within their estate. As the global VP Engineering & IT for a company in charge of £2bn in customer data explained,

“At the core of our business, yes, we know what data we have, where it is and how it moves round the business because it’s organised. But when it gets into the data science community, we lose the view of the data. Out of the core its anonymised but when they start to add other data, then there’s a question mark and that’s the exposure and the risk we have.”

 

It’s this exposure to attack, or even the thought of it, that makes organisations so defensive about their data, feeling like their only option is to lock it down and protect it. Yes, data poses a risk to the organisation, but it also presents huge opportunity. When business functions operate in silos, working to their own agenda, they lose sight of the bigger data management strategy picture and miss opportunities to do the right thing with data.

Action: Align business functions

Exonar’s previous research has identified a disconnect between the privacy and security functions within the business. It leads to a lack of alignment, mis-aligned priorities, and inadequate training.

Our European Data Privacy Officer for a bank specialising in wholesale assets shared a similar experience:

“If the CFO has a mandate from head office, I’m the one who comes in later saying we are going to have problems...Which makes me think, if someone tries to create a new product, I’m asking myself will I even hear about this?”

As the senior information management specialist for a large fintech organisation said,

“We have a CTO and CDO and a CISO. We are talking about data strategy, but it’s got no budget or owner for it.”

If organisations are to successfully tackle the issue of data as a risk, siloed functions need to join forces to collectively solve the problem.

 

“There needs to be a middle ground – enable things that are commercially important without regulation preventing it.”

Independent fraud, risk and security specialist

 
Our guests agreed that the CIO was best placed in most organisations to take on the responsibility for fostering better collaboration across the business because they are the person responsible for aligning the business strategy to technology.
 

Things to think about...

  1. No company – not even a data-driven one – can point to the fact that it has complete visibility over its data.
  2. Considering that a business can’t track what it doesn’t know’, Exonar Reveal is used by organisations to discover the data that is hidden inside an estate at scale.
  3. Someone at board level, possibly the CIO, needs to take ownership for improving collaboration between disparate teams to ensure everyone is pulling in the same direction when it comes to data.

Step 2: Manage over-retention of data

Article 17 of the EU GDPR states that “the controller shall have the obligation to erase personal data without undue delay” when it’s no longer required.

This makes sense when data poses a risk to the organisation and it costs money to store. Why would an organisation retain data that is no longer required? Our panel agreed, the legislation is a good thing:

“As a public body we are subject to freedom of information. At the beginning with GDPR, there was a real build up, but in reality, data protection was there already, so it just put another layer and clarity on that. Where we hold data is important, whether on-premise, cloud, or hybrid cloud. And also issues of accessing it, where it’s kept and how long we keep it for,”

Digital data director for a Government department.

 

While the European Data Privacy Officer for a bank specialising in wholesale assets considered the consequences of non- compliance, saying:

“The FCA is now looking at various aspects of business, for example the Tesco Bank cyber-attack. That was a good one for us because it showed that even if you haven’t breached policy, but there’s an external breach, they will still fine you.”

 

But while everyone agreed that regulation is a good thing, in reality, converting corporate policy into business-as-usual is difficult because there’s a natural reluctance to delete data.

Just in case

The policy may be about ensuring compliance and protecting the organisation, but there’s a disconnect where the policy isn’t put into practice because people are nervous about doing so.

“One of the biggest challenges we have is how long data is kept for. Some people don’t want to let go of it in case it has value in the future”, said the digital data director for a Government department.

The senior information management specialist for a large fintech organisation agreed – “Keeping it ‘just in case’ is a favourite phrase. But by the time we get around to finding it, it’s too old.”

While for our European Data Privacy Officer for a bank specialising in wholesale assets, it was a source of frustration: “When people ask if they can retain data, I can’t give ‘just in case’ as a legal reason to do so!”

Apprehension

For others in the organisation, they know that the data needs to be deleted, but are still reluctant.

“I found some data in Canada with 5 million people’s information that hadn’t been looked at for 10 years,” said the senior information management specialist for a large fintech organisation. “Do we need it? Do people even know it’s there?”

 

In summary, our independent fraud, risk and security specialist articulated what everyone feels, “It takes a bold organisation to delete data.”

Confusion

The discussion with the panel also suggested that there was an education piece that needed to take place before acquiring the data. Some found that third parties and partners will send through unnecessary data, which the business then finds itself responsible for securing.

“We see it all the time,” said the global VP Engineering & IT for a company in charge of £2bn in customer data. “People don’t have mastery of their own data, so they chuck it at us. A lot of our time is spent doing the data discovery piece. Because they can’t see data as an asset, they don’t know what data they’ve got.”

The senior information management specialist for a large fintech organisation elaborated with an example:

“We have an issue right now with passports where we thought we weren’t getting anything except basic details, but we are getting biometric information that we don’t want. So, we’ve been through a massive remediation project.”

 

Summarising the core issue, the European Data Privacy Officer for a bank specialising in wholesale assets said, “Once you have the information, you have the responsibility to secure it – so you’re better off not having it in the first place.”

Action: Practical guidance

Organisations know that they need to ingrain their policies so that they are followed in practice, but it’s clear that when it comes to business-as-usual this is hard to do. In the first instance, a privacy policy needs to be simple, strong and robust. This includes the rules around reusing data, because there’s no point holding onto information if you’re not allowed to process it for a secondary reason.

“The governance layer is so important.”

Independent fraud, risk and security specialist

The policy also needs to be practical so that people across the organisation – from the C-suite right down to the frontline workers – are clear about what it means in practice. Providing examples or hosting dedicated training sessions will all help support the people in understanding what to do with data.

For example, if the business is not deleting, there needs to be a clear understanding of where and how the data is to be stored so that it doesn’t become, lost, forgotten or vulnerable over time.

Things to think about...

  1. Becoming an ‘information intelligent’ organisation so the business understands how to come at the data from a strategic point of view.
  2. Helping people to understand the role they personally play in data governance to give them the confidence to delete or store data in the right place when it’s no longer needed, rather than keeping it ‘just in case’.
  3. Thinking about how to use technology to ingrain policy into practice and automate process wherever possible to avoid human error.

Step 3: Elevate the profile of data

When looking at how to raise the profile of data, organisations need people in data security and privacy to understand how they use their data operationally and to ask the key questions:

  • How open is the organisation to seeing data as an opportunity rather than risk?
  • How do you store your data and what are the dynamics across the data?

The key is getting all teams aligned around what the strategic use of the data should be, which eliminates paradoxes within teams. For example, the senior information management specialist for a large fintech organisation said, “Our exco think data is the output of the business rather than it IS the business.”

However, it can be hard. “[Data] is another thing on the list of things to do,” said the digital data director for a Government department. “There’s so much we are trying to do...”.

“We see that people want to own the end-to- end supply chain of their data. Companies think they’ve got a gold mine. But they have no idea how to tap it.”

Global VP Engineering & IT

 

Communicating upwards

Data is incredibly complex and while there’s a responsibility to ensure that data management policies are in place to protect it, there’s also the responsibility for people to manage upwards, informing the senior stakeholders of what the reality is, what does/doesn’t work, and what could be improved. Unless senior people understand what’s involved in managing data, it’s impossible to raise the profile of data in the organisation.

As the global VP Engineering & IT for a company in charge of £2bn in customer data said, “The challenge I have with business leaders in my organisation is they just assume you are on it. And they get surprised when you ask tough questions, they say ‘surely that’s your job’. Managing the data is so far from their mind.”

While the senior information management specialist for a large fintech organisation commented, “If you go to an exec and she sees a document with lots of pretty pictures and numbers she’s happy. They don’t see that someone has spent 3 weeks digging through systems to get that data. They don’t feel the pain and certainly don’t see the asset.”

Failing to appreciate the focus

Every stakeholder in data has a valid point of view. The DPO, for example, is there to act as the guardian of data because they don’t want it used inappropriately.

“People think we object to the use of data, but we don’t, we object to the inappropriate use of data.”

European Data Privacy Officer for a bank specialising in wholesale assets

They see the potential for data to be collected and processed without the appropriate consent, causing unnecessary risks for the organisation. When involved in the right way, the DPO can help the organisation to make good decisions about data.

As the European DPO explained, “We need to know the thought process behind where a mandate came from so we can say, ‘well you can’t do it this way, but
I can help you do it another way, which is compliant and that still delivers what you need it to’. We need the foresight into the information needed and what it will be used for.”

Action: Align data to the business goals

Our panel agreed that the profile of data needs to be raised within the organisation so it is acknowledged as both a risk and an asset. Summarising, our independent fraud, risk and security specialist said:

“With data as an asset it depends on what you’re trying to achieve. For the [global VP Engineering & IT for a company in charge of £2bn in customer data]
it’s absolutely core to the business. For the [digital data director for a Government department] it’s a reputational thing. For the [European Data Privacy Officer for a bank specialising in wholesale assets], it requires thinking about what the core objectives of the business are, and how what she does as an individual supports the board.”

 

Defining data has to start with collaboration right at the top of the business, where every stakeholder is involved early on in the discussions and the decision-making process, so they can help guide the organisation on how the data can best be used. Where possible, data should always be a board agenda item. Then it is filtered down throughout the business, and people are educated on how to both protect it and distil its inherent value to the benefit of the customers and the business.

“If the CEO says ‘my objectives are 1, 2, 3, 4’, then we as data leaders need to think about how we map what we do with data to the organisation’s strategic goals...That’s how I get the budget for what I’m trying to achieve because what I’m doing is aligned - using the same language, vocabulary, describing it in the same way as the board would.”

Independent fraud, risk and security specialist

 

Things to think about...

  1. Clearly defining the roles at a board level and allowing individuals to ‘sell’ themselves across the business to raise awareness that ‘I’m here, and I can help with X’.
  2. Establishing a common language internally to make sure that everyone is using the same vocabulary so that every business function is describing data in the same way.
  3. Executing a strong internal communications campaign defining the different roles, stressing the importance of privacy and security, sharing ‘success’ stories – or near misses.
  4. Making people feel like they want to take ownership by making data personal, empowering people to get on but training them right so they keep privacy and security front of mind.

 

Action: Lock down data at source

In the ideal world organisations would be able to protect themselves against a data breach ever happening. But we all know that hackers are getting increasingly sophisticated with their methods, and of course, those unintentional internal terrorists are leaving the business exposed and vulnerable.

In addition, we know that under GDPR organisations can be fined extortionate amounts. But how the ICO chooses to impose its fines for non-compliance is down to several factors, such as:

  • The severity of the personal data breach. The measures taken to ensure compliance.
  • The willingness to respond to the data subjects when they exercise their rights.
  • The degree to which privacy by design is respected.

We’ve witnessed this in action with the fines to Marriott (£99m) and British Airways (£183m - now reduced to £20m!), which did not equate to 4% of their global annual turnover.

Therefore, for organisations to ensure that their data is adequately protected, best-practice dictates that it should be locked down at source with the security measures appropriate to the type of information being stored. Under these circumstances, even if a hacker breached the perimeter wall, or someone internally tried to steal data, it would be much harder for them to access the information and extract it from the data estate.

Things to think about ...

  1. Engage an external party to ethically hack the organisation. Acting in the way a hacker would, they’ll expose any vulnerabilities.
  2. Revealing all the data contained within the estate – once you know what’s there, you can better protect it by applying the right level(s) of security.
  3. Lock data down at source. Perimeter security can only protect an organisation so much. Visibility of data is vital. Data discovery technology is designed to find and reveal both structured and unstructured data and to run an automated policy workflow engine to check where data is being stored and if policies are being adhered to.

 

“Data breaches depend on how the company handles it. There’s a big opportunity to control what happens.”

Independent fraud, risk and security specialist


 

Technology approaches to data discovery

The first step to data discovery at scale is having the right tools that enable an organisation to interrogate its data estate in real time and with near-instant results.

Unlike other forms of ‘data discovery’ that simply scan the data, Exonar does this by indexing data at scale and maintaining that index. It’s a bit like having Google within the company firewall, as users can execute searches and instantly find up-to-date results to find data of any kind. But it’s even better, because the organisation can automate those searches against specific data governance policies to repeat and regularly identify exposed sensitive data.

We believe that this is what the first step in data management should look like from a technology perspective.

For more information see our Product page

 

Exonar's data discovery software

 

Step 5: Seeing data as an asset

Clearly data poses a risk to any organisation, but it’s a risk that can be easily mitigated when businesses change their perspective about data. As the digital data director for a Government department said,

“[Data as an asset] focuses people’s minds. It prompts strong discussions about whether you are robust and resilient and makes you think about how embarrassing it could be if there was a breach. For us in the public sector, the ‘Daily Mail’ test is big because reputation is huge. Lots of senior staff have it in the back of their minds so it’s a strong driver of behaviour. We revisit what works to be effective – we talk it through and ask if we can have an independent review.”

While the senior information management specialist for a large fintech organisation commented:

“They think data is the output of the business rather than it IS the business. We need to change that mindset. We need to move it from a risk, where the conversation is about storage and IT, to a business asset, where the conversation is about opportunity and advantage.”

 

It’s not a simple task

Achieving this change in mindset isn’t simple though, not when the idea of data as a risk is so ingrained in the cultures of many organisations. Asking the panel for their thoughts on how to achieve data as an asset, they said:

“If you haven’t got robust processes in place you end up with difficulties...Unless you do it right, you can collect the clients’ data when they sign up but then it’s illegal to use the data to cross sell.”

European Data Privacy Officer for a bank specialising in wholesale assets

 

“The danger is that you can get layer upon layer of governance that could stifle what we’re trying to achieve. There needs to be an owner who thinks about how to join up data across departments and looks collectively at how we move it from a risk to an asset. Controlled – but for the right reasons.”

Digital data director for a Government department

 

“We don’t have a data officer, but we have a DPO on the board because if we lose one piece of data we’re done. Any conflict is always at board level, which is the right place...The issue is how do we surprise and delight our customers?”

Global VP Engineering & IT for a company in charge of £2bn in customer data

 

Overcoming fear

Data is such a huge subject, and in many ways, organisations are in their infancy in understanding what it means to their businesses. After listening to the debate around the table, Exonar’s CEO summarised:

“What I’m hearing is that [data] is still very much driven by security. Fear and risk are driving that. Very often organisations don’t know what they can do with their data. They don’t know what questions to ask to start the debate. Are organisations so focussed on privacy and security that no one’s thinking about it as a strategic asset? Is it years behind?”

 

Sharing his team’s thoughts about releasing data into the public domain, the digital data director for a Government department said, “Many aspects of it caused nervousness. Knowledge is very powerful...We just didn’t know what people were going to do with it, but we have to accept that it needs to be done - we have to release the data.”

 

Technology has a part to play

The volume of data is growing exponentially, which means that the process of managing and securing it is challenging enough, before organisations even attempt to tackle the issue of distilling its value. This is where technology plays an important role.

Working to automate parts of the process wherever possible, technology can help to discover and classify information, enforce policy through document encryption, data loss prevention, access control, data remediation and content management, and assist with operational process and record keeping.

“I try to show how we can save time using technology and that’s where I show the value,” said the senior information management specialist for a large fintech organisation.

Entrusting data to technology means removing the human interaction. This makes it inherently safer by reducing human error, while also allowing the organisation to extract the actionable insights to the benefit of the business.

Talking about his company’s approach, global VP Engineering & IT for a company in charge of £2bn in customer data said, “We are a data science company that uses tools to pull together data into data sets we own, or create aggregated data sets, that allow retailers to stock their shelves. The value of data is crucial to us...the data platform in the middle is the jewel of the company, the USP. How do we drive pace to insight? Our value is the algorithms over the top.”

Action: Collaborate with multiple stakeholders

For any organisation seeking to change the perspective of data and see it in a different light, it requires extending the conversation out into the business. Where security, privacy and data have traditionally existed in isolation with the CISO, CIO and DPO, changing the mindset of data being a risk to an asset needs these key business stakeholders to come together and elevate the position of data.

“In the tech and digital age we’re in, the customer expects a certain level of service. But how do we do it? That’s the big question. We need multiple people involved in the conversation – privacy, security, and the commercial stakeholder who has a clear objective about what they want to do.”

European Data Privacy Officer for a bank specialising in wholesale assets

 

Things to think about...

  1. Changing the conversation to involve stakeholders from the privacy, security, IT and wider business functions to discuss and debate how data could be used to benefit the business.
  2. Revisiting the privacy policy in the spirit of collaboration to consider whether the rules provide the flexibility to legally use data in different ways.
  3. Looking for technologies that support the efforts to both protect data as a risk and enable it to be an asset to drive the business forward.

Conclusion: Solving the data conflict

Action 1: Secure your data

Organisations can’t protect what they don’t know exists. While structured data resides in secure databases, the unstructured data that people produce by just doing their jobs is lying lost or forgotten, scattered across the organisation and vulnerable to attack. Therefore, data discovery becomes essential to securing the data estate within the organisation.

Revealing all the data at scale within the estate means that organisations have complete visibility and can then start to plan and take remediation actions to ensure their information is properly protected.

 

Action 2: Protect your data

Adequately protecting data starts with deploying the appropriate levels of security, which could include tagging certain types of documents as ‘confidential’, using encryption or password protecting them.

Organisations then need to ensure that data privacy becomes ingrained as part of business-as-usual, rather than be a one-off exercise. Once data privacy becomes the ‘way’ people operate, it’s a consideration that’s kept front of mind, so people are more likely to do the right thing with that data.

But to get to this point there’s a huge education piece that organisations need to invest in so that everyone - from the C-suite to the frontline workers - understand how to treat data, who’s responsible for it and what to do if they discover something that could leave the organisation exposed.

This is where regular, dedicated training for everyone in the business becomes important so that awareness of data privacy remains high, with internal communications used as a reminder and to nudge people into demonstrating the right behaviours.

 

Action 3: Raise the profile of data

If organisations are to successfully tackle the issue of data as a risk, the siloed functions need to join forces at a board level to collectively solve the problem:

We need the CISO to both secure the perimeter and protect data at the source.

We need the CIO to take ownership for improving collaboration between disparate teams to get everyone pulling in the same direction when it comes to data.

And we need the DPO to help the organisation to make good decisions about data.

Once an organisation becomes confident in its security posture, it can start to enjoy the benefits that data presents as an asset. By distilling the data’s inherent value using technology, the company can start to identify untapped market opportunities and know how to take advantage of them to secure their future success.

Start discovering your data today

Why don’t you set up a time for one of our experts to give you a demo that’s relevant to your business challenges and we will show you how Exonar can help?

Book a demo today

 “Exonar is developing best-of-breed technology for its customers but only because the team is going the extra mile on a daily basis - whatever you need, Exonar is there. It’s the best experience I’ve had of working with a solution provider in over 20 years.”

Dave Parker, Group Head of Data Governance, Arrow Global