As companies realize the importance of data as a driver to their long-term viability, data governance is a topic that is being increasingly discussed in corporate board rooms. In the past, data was described as the oil for the digital economy, businesses are now waking up to the fact data can have both positive and negative effects – depending on how it is managed across the organization.
The development of an effective data governance program requires collaboration and cooperation across a number of organizations in the enterprise. The first and foremost among these are security and analytics teams. However, these organizations led by chief information security officer (CISO) and the chief data officer (CDO) respectively have opposing mandates. The CISO’s office is tasked with protecting enterprise data and to ensure the privacy of the information that customers have entrusted to the company, which may result in a strict and overbearing restriction on the use of data. The conservative approach can be an immediate roadblock to short-term data analytics projects and may have a negative effect on long-term innovation initiatives. On the other hand, the primary objective of the CDO team is to extract insights from data which requires broad and rapid access to data spread across on-premises and cloud services. Due to their respective mandates, information security and data and analytics teams have traditionally operated in separate spheres that lead to duplication of effort and inconsistent data governance policies that pose regulatory, financial and reputational risk to the organization.
Data governance has been the domain of Information Security (InfoSec) which has historically employed a top-down approach to dictating governance policies and thereby controlling various departments’ access to data. The reason this approach has not been effective is that data governance is a framework that is a combination of people, processes and technology. When members of different teams feel that policies have been forced upon them, they view them as an additional task for which they must find time in their busy schedules. Another factor that works against this approach is InfoSec doesn’t have a good understanding of how various organizations in the company use data to make business decisions, therefore these policies cannot keep pace with the ever-changing needs of business. The application of dictated data governance has had important repercussions for enterprises. Lines of business in general and analytics teams in particular have viewed data governance as a hindrance to achieving their objective of extracting insights from data and building data-driven solutions.
The dictated approach also puts corporate IT in an impossible position as IT is tasked to implement data access policies through the selection and deployment of data governance tools. When a business user requests access to a specific data set, that request is first directed to the IT department. Unfortunately IT also lacks the context and visibility into business’s use of data and therefore cannot approve or reject that request on its own. This introduces latency into the analytical process where IT first approaches the data owner to make that decision. Just imagine this process being repeated for hundreds of access requests across the organization. Due to this, IT is seen as a bottleneck by business teams and data consumers who now must wait to get access to the requested data.
The offices of CISO, CDO and CIO must collaborate for the corporate objective of using data as a competitive advantage to come to fruition. In this regard, these disciplines need to work towards balancing data governance with secured sharing of data using technology in a way to foster collaboration. The way data access policies are administered is a key area for these three organizations to collaborate and lay down the foundation for an effective compliance program. In other words, enterprises need to shift their focus away from dictated data governance to connected or collaborative data governance. In this framework, the governance policies are still outlined by CISO or CPO organizations, however the process of requesting access to data and the timeframe for taking action on that request becomes much more seamless and compressed. This is achieved by placing data consumers (business analysts, data scientists, LOB personnel) in direct contact with data owners in departments like sales, marketing or finance. This enables data consumers to set the context by providing information to the data owner about why he or she is requesting access to the data owned by the data owner. Once the data owner has this information she can take action on this request and also enforce the terms for its use. Collaborative data governance framework is efficient because it reflects the way people actually work in businesses. It’s a direct interaction between the data consumer and the data owner with contextual knowledge of data and access requests – without an intermediary such as IT involved in the middle.
This doesn’t mean that IT doesn’t have a role to play in collaborative data governance. In this framework, software also needs to catch up with how people already work in companies so that abiding by access policies isn’t seen as a burden. At the same time, IT needs to maintain oversight of the enterprise data landscape by having full visibility of the data governance process for compliance and audit purposes.
Data governance in companies needs to transform from the old command and control model to a collaborative approach that is part and parcel of the way people perform their day to day tasks in an organization. The implementation of collaborative data governance requires cooperation across security, analytics and IT teams led by the CISO, CDO and CIO. These roles need to ensure that their teams are pulling in the same direction in order to make their companies data-driven organizations where sharing of data is seamless and secure.
Learn more about Privacera here, or contact us to schedule a call to discuss how we can help your organization meet its dual mandate of balancing data democratization with security to maximize business insights while ensuring privacy and compliance.