In Part I of this blog series, we introduced the topic of boundaries, how traditional silo-oriented thinking is arguably the biggest barrier to implementing comprehensive data security. In this second part, we introduce practical guidance on how to overcome those boundaries. 
The first practical step is recognizing your organization’s history. Your data silos and the boundaries in between them didn’t appear by accident. They emerged for good reasons via a series of business initiatives and IT projects. Over successive decades, these evolved into a patchwork of application stacks and jurisdictions that, as long as their original stakeholders are still active beneficiaries, will continue to get organizational and financial support. As the old joke goes, “God could create the world in six days because he didn’t have an installed base to deal with.” So it goes with data security. From mainframes and midrange computers for back-office processing in the 60s and 70s, to client-server database applications incorporating the front-office in the 80s and 90s, to the Internet and web applications incorporating one’s customers and partners in the 2000s, each of these waves of computing were in response to the most significant market, financial and organizational opportunities and challenges of their day, and were championed and funded from the most senior levels of the organization. Since then, the business functions and work streams they support are still very much valid and valuable. Champions still exist within those functions. Maybe they no longer represent the most visible initiatives, but they are still very much keeping the lights on in your organization. And, if you’re not careful, they will come out like anti-viruses to fight any new initiative that they perceive may challenge their ability to keep those lights shining bright. As a data security practitioner, one must avoid going bottom-up, the pattern of engaging with each such silo on their own terms. As mentioned in the previous blog, each will claim differences and special requirements that will complicate most cross-silo initiatives. At the very least, the cost of implementing deep data security per specific requirements will collectively take an inordinate amount of time and resources. Even Neo learned this the hard way. By failing to decisively win in spite superhuman efforts, he had to conceive of a better way to defeat the multitudes of Agent Smiths, of transcending their various manifestations and get to the Source. He had to go top-down. OK, right, this blog is supposed to focus on practical guidance. Well, the Source shouldn’t be hard to find in your organization. Follow the money! Which business initiatives (involving harnessing data in a substantive way), are getting the most attention from your C-suite and are driving the largest net-new budgets? This may vary from one organization to another, but here is a list of common ones that I have seen come up over and over again in recent years, across all verticals and geographies:
- “Digital Transformation” or “Customer Engagement”: Typically led from a CMO or similar market-facing function, these projects serve to better understand the entire customer “journey” of interactions with the organization, and leverage data gathered from those numerous interaction points to better attract, serve and retain those customers.
- Main success metrics: Customer engagement and per-customer revenue.
- Budget source: Usually a marketing or customer-success function, or other field-facing operational source.
- “Data Modernization” or “Data Democratization”: Typically led from a CDO, COO or CIO function, these projects serve to push data processing and analysis closer to the business functions they support, usually involving migrating to cloud-based applications for greater access at lower cost, and harnessing big data lakes and self-service data tools to enable greater end-user empowerment.
- Main success metrics: Increased efficiencies/better margins/lower activity costs.
- Budget source: Chief data officer or analytics officer (often with CIO backing), or a distinct business operations function like the COO.
- “Regulatory Compliance”: Usually started by a G&A or GRC function, and eventually owned by a CDO or CISO group, these projects serve to comply with industry and governmental regulations involving the trustworthiness and protection of data. Originally focusing on financial services, we now see similar regulatory requirements in most major industries and in most modern economies.
- Main success metrics: Other than avoiding the negative reinforcement of fines, jail time and reputational risk, the champions of such projects also look for “upside” positive reinforcement metrics like improved product quality, customer service, and market awareness through better data.
- Budget source: Regulated industries will often have a GRC (Governance, Risk and Compliance) function. Otherwise look for a Chief Data Officer or Chief Information Security Officer with a mandate to implement compliance of specific regulations.
This obviously isn’t an exhaustive list, but these three should make the point – there is big money being spent on company-wide initiatives that involve data. Astute readers may have picked up on the common thread between all of them: They do not operate in any one existing data silo! Instead they necessitate cutting across silos. Each involves relating, aggregating, integrating, enriching, and facilitating access to a broad landscape of data both inside and outside your organization. These include cloud platforms and application suites, big data lakes and big data analytics, and Internet-scale collaboration tools delivered via social platforms and mobile devices, for the purpose of harnessing all relevant data to achieve the goals of these three major cross-functional business initiatives. In short, follow the money to their source. Find their champions who can articulate the business importance, help you understand the use cases and flows of data required to achieve those use cases, and spell out in hard dollars the business opportunities they represent. Armed with this business context and deeper understanding of the data needed within that context, you then can drive a more practical set of data security policies designed to be fit-for-purpose for that context. Thus, instead of trying to boil an ocean of data silos, focus on those specific data assets that need to be protected to support that business context, using its success metrics as your justification. Given these business imperatives are enjoying broad visibility and C-level air cover, and you’re not trying to over-reach beyond the scope of those imperatives, most app owners will be more than willing to engage beyond previous boundaries and participate in conversations of how to participate in these new business imperatives, safely and securely. Next, what is the quickest path to implementing those policies? It’s one thing to reach your organization’s Source(s) and understand the data-driven transformations they are trying to drive, but it’s another to translate that understanding into a fully operational data security program quickly and painlessly. Here too there are dangers to avoid, and there is an art to the “quick win.” The third and final blog in this series will explore various considerations for getting cross-silo data security off the ground quickly.
The post Data Security in a Data-Driven World (Part 2): Follow the Money! appeared first on Protegrity.