This week I am very pleased to welcome Alexander Akinjayeju to write a guest blog. I mentor Alex through the DAMA UK mentoring scheme. He has an extensive background in Data Security and has moved into Data Governance. When helping clients implement Data Governance I often end up liaising with their Data Security Team. During our mentoring calls we have discussed the relationship between the two data management disciplines and Alex explains it so well that I asked him if he would be willing to write a blog on the topic:

Cyber security is the sexy term for information security; it may also be used inter-changeably with other scope specific areas such as IT security or digital security etc. The keyword here is “Security” of information in whatever format or scope it is presented be it Cyber, Digital, IT etc. For the sake of this write up, I shall use the generic term “Information Security”.

Information security discipline can be seen as a science or as an art depending on your point of view or context.

Science is defined as “A systematically organised body of knowledge on a particular subject” while Art on the other hand is defined as “A skill at doing a specified thing, typically one acquired through practice”. A core concept in Security is the threat of an “enemy” willing to steal, disrupt or otherwise make information invaluable.

Information security is an organised body of knowledge (Science) on the protection of information, often involving fighting wars with internal and external enemies (Art).

The subject of Information Security concerns itself with the protection of the Confidentiality, Integrity and Availability attributes of Information assets.

Data Governance (DG) is defined in the Data Management Body Of Knowledge as “The exercise of authority, control, and shared decision making (planning, monitoring and enforcement) over the management of data assets.” It is part of a larger discipline that has traditionally been called enterprise information management (EIM).

What’s the link between Information and Data you may ask; the illustration below sums in up.

Knowledge and information is everywhere, it is converted into multiple formats such as data, audio, pictures etc for usage. Data and inherently the information it conveys is used in business processes and interacted with by humans, transported through physical papers, computer hardware and networks and stored in computers (files, applications and databases) throughout its life-cycle. Data is also now being extensively used in Artificial Intelligence and machine learning to create new devices and tools while at the same time driving process efficiency across all areas of human endeavors.

There is no gain saying that Data is valuable to many organisations including non commercial ones such as the military or public services, particularly more so in the current digital age revolution where Data is said to be the “New Oil, we even coined a new word “Big Data”.  The illustration below shows the volume of data that was created every sending of the day in 2018.

The implication of this amount of data is that it drives the global economy which makes one to conclude that there is a lot of value in the data; traditional industries including banking and finance have been disrupted while completely new industries have sprung up in recent years, for example, Uber and AirBNB did not exist 10 years ago, neither of them own physical assets in their operating model; Uber’s revenue was over $14 billion in 2919 and AirBNB is valued at $38 billion. Guess what? Data as their main asset!

The remit of Information or Data Security is the protection of  the value of Information and Data assets!

There are a few stressful periods in the working life of a security executive

1.       Annual ritual of budget planning and decisions on the allocation of scare resources is a very stressful time for business executives involved in the process. The process involves a lot of data, numbers and logical articulation of projections for the coming year, this is about cost of security. However oftentimes the value of the data to be secured/protected is not often included in the discussion.

2.       Initiation of  strategic security programme either as an improvement or as a complete green field setup. These programmes are often driven either by compliance obligations or as a result of audit findings or general information security risk management.

3.       Identification and location of critical business data, the level of control required and the amount of resiliency required to ensure business continuity when disaster strikes. In order to search for an item the minimum requirement is that you know what you are looking for, perhaps a description or characteristics and other specific features.  

Prioritizing the most effective controls to deploy within the constraints of defense in depth principles. This challenge is premised on the fact that resources will always be limited, even nation states don’t have a bottomless pot of resources. It’s also a fact that some data and applications are more important and sensitive than others. When we prioritize there is always an opportunity cost of the things we forgo, therefore we want to ensure that we are choosing the right assets and controls to protect and deploy.

As you can see from the above list of items, none of the items are exclusive to the security function. At the heart of it all is the “Data” that need to be secured, if we don’t know the attributes such as characteristics and description, we cannot find it; if we don’t know its importance or criticality to the organisation we cannot apply a commercial/financial value to it neither can we prioritize it neither can we know whether it is within a compliance scope.

The Chief Information Security Officer and his team does not own the Data which it is expected to protect, he/she doesn’t know its relative value, nor does the team understand the risk appetite or tolerance of the firm without active collaboration with the business or stakeholders. The Security team cannot define the security attributes or level of protection a Data Asset requires.

The consequence of the above is massive! It causes either an inadequate or over investment in security, opaque decision making process, false sense of security, misuse of limited resources protecting low value assets at the detriment of critical assets as well as poor business resilience and disaster recovery planning among others.

The answer to all of these can be provided by Data Governance programme or function.

The need for collaboration between Data Governance and Cyber Security team is often critical particularly of Data Loss Prevention projects. It is an indisputable fact that modern businesses have a lot more data and data channels to contend with both structured and unstructured. Data is ingested from multiples sources and may be found on on-premise servers, in Cloud apps and storage, on users devices including mobile devices and smartphones and many more locations – the dispersal surface is forever widening. It is inefficient and way more expensive to expect the security function to effectively secure all data regardless of their sensitivity as their criticality is not known, part of the consequence in the high level of Data breaches frequently reported in the media, as resources are spread too thinly rather than focusing limited resources on the “Crown Jewels”

In my professional career I have seen time and again on different assignments that a lot of organisations don’t know where their critical data are stored, they have no understanding of its flow within the business or what business processes interact with them. These are the everyday issues that security people have to content with and often playing piggy in the middle between different departments to arrive at ad-hoc conclusions and decisions on data attributes. This approach leaves the business exposed to risks on many fronts

The Data Governance function would help Data Security function with the fundamental question of Data Attributes, it will provide the details of value to allow logical decisions to be made around managing security risk to the Data. In return the Security function will assist the DG function in deploying and operating controls to enforce its principles, policies and standards as well as monitoring for compliance. It is a WIN! WIN!

I recognize that Data Governance function is relatively young and evolving however, Information security function will do very well in engaging and collaborating where they exist, wherever possible the CISO may even suggest the establishment of one within their organisation.

I hope you found this useful. You can find out more about Alex on his LinkedIn profile.