Data is the modern digital economy’s lifeblood. Organizations use it for everything from improving revenue and financial outcomes to patient care, consumer engagement, and market expansion. To drive even better business outcomes, many organizations have realized that a structured data governance plan is required. They have begun to empower their chief data officers (CDOs) to lead the way on data governance, which makes sense given CDOs’ niche expertise and focus. That said, for several reasons, chief information security officers (CISOs) must be part of data governance efforts.
The CISO, like several stakeholders, needs to leverage data for business purposes (senior management for business decisions; marketing and sales for customer outcomes; and so on). The CISO has a need for data, both in terms of use, and, more importantly, to ensure it is secured throughout its lifecycle. This lifecycle involves several stages, including generation, collection, processing, storage, and even destruction; it’s a process lifestyle that CISOs and cybersecurity need to be involved in.
Collection and Privacy
As organizations increasingly look to collect more data from users, consumers, and stakeholders, there are key considerations around security and privacy that must be considered to ensure the organization is meeting any regulatory requirements. Frameworks such as the EU’s General Data Protection Regulation (GDPR) and others emerging in the U.S. provide clear requirements around the use of citizen/customer data, and, if organizations aren’t cognizant of these requirements, they can quickly find themselves in hot water.
Data Breaches
Much like the business, malicious actors are also heavily focused on the data. This could be personal data, business data, intellectual property, financial data, and so on. If this data is properly secured while it is at rest, in transit, and in use, it can be exposed to malicious actors who can use it for anything from ransomware and extortion to credit card fraud and identity theft. CISOs can be involved in key activities such as data discovery, classification, and, ultimately, governance to ensure the organization understands what data it has, how it is classified or categorized, and how it is governed throughout the previously mentioned lifecycle.
Bringing It Together
A data governance strategy that neglects to include the CISO and security considerations is like a stool missing legs. It will inevitably fall over as it encounters the friction of regulatory requirements, malicious actors, concerned customers, and trusted business partners. It is often said that security must be baked in rather than bolted on, and this is especially true when it comes to organizations’ data governance plans.
It is also worth pointing out that zero trust is data-centric and failing to include the CISO in data governance is inevitably setting up any zero-trust organizational plans for failure. However, it is up to CISOs to ensure they’re engaging with their chief data officer (CDO) and fellow C-suite counterparts and ensuring they have a seat at the proverbial table. Silos exist at the organizational executive level, and, much like the push for DevSecOps (development, security, and operations) and breaking down silos, these organizational executive level silos need to be broken down to bolster collaboration to enable better business outcomes — what we should all be after.
Join us on October 27, 2022 for Acceleration Economy’s Data Modernization Digital Battleground, a digital event in which four leading cloud vendors answer questions on key considerations for updating data strategies and technology. Register for free here.
Want more cybersecurity insights? Visit the Cybersecurity channel:
