In today’s world, data is truly king. It is the jewel that keeps the wheels of every business moving, and without data most businesses would be lost.
But just like any precious commodity, it has also become the target for thieves – malicious actors who go to extraordinary lengths to get their hands on organisations’ data. From government agencies through to major infrastructure companies and small businesses in rural locations, no organisation is safe from the reach of global attackers.
For that reason alone, protecting data is the best thing that any organisation can do for itself. But far too many organisations leave data security to a few people in an under-resourced information security team, rather than taking a comprehensive, risk-based, governance approach to data security. After all, if you have something that precious, wouldn’t you take every precaution to protect it?
The value of data
Organisations create, process, and store immense quantities of data. They use it to innovate, develop and launch new products, decide who to market to, and more. When used properly, data can provide businesses with a competitive edge that allows them to move from strength to strength.
Much of this data is personal data. Personal data is what enables businesses to reach actual and potential customers. But personal data is under constant attack from malicious actors who also know just how much value that data can have for them.
Add in regulations such as the GDPR in Europe and the UK, the CCPA in California, or the LGDP in Brazil, which place high value on personal data protection, and businesses really need to take care with their personal data. This direction must come from the top and be a part of the culture of the entire organisation.
What does data protection mean?
As a basic definition, data protection means guarding the confidentiality, availability, and integrity (CIA) of the data.
Confidentiality refers to preventing sensitive data from being accessed by unauthorised individuals; Integrity involves maintaining the accuracy of data throughout its lifecycle; and Availability means ensuring that data is always available for authorised use. This CIA triad forms the foundation of data protection, and all three must be protected at all times.
However, without a strategic approach to data management, there is a danger that data custodians and security teams may focus on personal data at the expense of business-critical and other sensitive data. Furthermore, they may focus on the easiest of the three, confidentiality, and fail to protect the other two dimensions, integrity and availability.
Building data governance into a data protection strategy
Full data protection can only be achieved through appropriate governance structures and data management processes. Let’s explore what that means for an organisation.
Managing data risk
As discussed above, businesses collect immense quantities of data. But not all data is created or valued equally, and some data requires more protection than others. Applying the same levels of protections for all data would quickly overwhelm an organisation, and could mean that nothing gets done. In addition, individuals, regulators, and malicious attackers all place different values on different pieces of data (or data sets), increasing the need for businesses to understand its value and how to protect it.
The logical option would be to take a risk-based approach to data management. In a risk-based approach, decisions are taken following an assessment of the likelihood of an incident involving a set of data, and the business impact that event would have on the business. In this way, organisations can begin to assign due priority and build appropriate protections for the data sets.
However, data doesn’t just exist in tidy boxes that can be risk managed. Data can be found in small pieces, duplicated and spread across an entire organisation, and that’s where data governance comes in.
Implementing data governance across the business
Data governance is everything an organisation does to ensure that data is secure, private, accurate, available, and usable for every legitimate business need. It includes the actions people take, the processes they follow, and the technology that is implemented to support them throughout the data lifecycle.
Some key elements of a typical data governance programme are:[1]
Policies and procedures
Policies set out the organisation’s intentions towards data governance and data management. They provide a clear direction for all employees to follow and lay the foundations for a data protection culture.
Procedures are the processes that employees need to follow in order to manage data effectively across the organisation.
Leadership
Data governance needs strong leadership in order to succeed. Much of this leadership comes not from information security and privacy specialists, but from the senior management such as the CEO, CTO, and others. Once they have declared the importance of data protection to the organisation, employees will follow.
In addition, peer leadership is a valuable resource in creating a data governance culture. Security or data champions are employees who incorporate data governance into their daily work, and who encourage their peers to do so, too.
Roles and responsibilities
Building a data protection culture is everyone’s business. As a result, everyone needs to know their roles and responsibilities towards data. The people directly responsible for data must know their roles in protecting its quality. Other employees may need to know how to build secure applications, and yet others may simply need to know how to avoid falling for a social engineering scam. All of these roles need to be set out clearly to help the relevant people follow them.
Compliance with external standards
The GDPR remains a major driver for data governance across many organisations. In addition, more and more customers are requiring their suppliers to comply with privacy and security standards such as GDPR, CCPA and achieve ISO 27001 or PCI DSS (for card holder data) compliance in order to do business with them. Additionally, more organisations are adopting standards such as NIST-CSF, NIST-SP80-53 or CIS top 18 to implement security controls to protect the data. These standards all require a strong data governance approach in order to achieve compliance and the desired outcomes.
Data is growing at phenomenal speed and as organisations continue to create and consume data, it will become more and more vital that they implement strong data governance in order to help them manage it. Not only will a data governance programme help organisations protect their data, it will also help them understand their data better, supporting better, more timely decisions, and enabling employees to gain the access to data they need in order to do their jobs better.
Disclaimer:
Please note that the views expressed in this article are my own personal views and do not reflect the views of my employer.
[1]Organisations may want to refer to or adopt elements of theCOBIT 2019 framework for the implementation of data governance and security.