Securing a Modern Data Governance Program

For CIOs and CISOs, establishing a secure data governance program that successfully aligns with business priorities is paramount. It is a top focus area for the year for both technology and security leaders with data and analytics and data governance appearing in their top ten priorities in our annual Leadership Perspective Survey. 

As data becomes increasingly available across multiple cloud environments, it's more important than ever to preserve the confidentiality, integrity, and availability of information used in business processes, applications, and technology. IT and security leaders need to establish a secure, modern framework that protects high-quality data throughout its lifecycle.

CIOs and CISOs in Philadelphia recently joined a Town Hall to discuss how to align their data strategy with their security objectives. Community members Mark Eggleston, CISO at Corporation Service Co, Bistra Lutz, Global Director Security Operations at Crown Holdings, James Edmunds, Vice President, Information Technology at Allan Myers, Monique St. John, VP, ACIO & CISO at Children's Hospital of Philadelphia, Matt Cerny, Director, Cyber Security, at Integra Life Sciences, Chris Bennett, CDAO - Financial Advisor Services at Vanguard Group, David Sherry, CISO at Princeton University, and John Jabour, Vice President and CIO, at Keystone Human Services led the discussion.

For the first time this year, Philadelphia CIOs and CISOs came together to discuss a topic relevant to both IT and security leaders. They joined small breakout groups to share strategies to ensure the availability, integrity and confidentiality in data, while mitigating risks, and the importance of complying with data-focused regulations while creating value from a data governance program.
 

Key Takeaways from the Discussion

• Many organizations are still on the journey to having a holistic data strategy.
  Several executives noted that they are still “on the road” to having a data strategy across the organization. In some industries, the strategy is driven by government regulations. For others, it’s complicated by mergers and acquisitions or business unit siloes, with each having different policies and practices. One executive noted that it takes awhile to work through and have everyone meet the same standards.
• Simplify data classification where possible. 
  To make data protection scalable, it’s best to keep classification as simple as you can. One executive noted that it can be as simple as “sensitive or non-sensitive.” Another executive shared that the data that comes from their file access manager is shown to the data owners for them to see how their data is being used. This helps them “come up with good recommendations on segmenting access or changing access.”  
• Educating employees is a key component of any data governance program. 
  Executives noted that it’s important to make sure the right people have the right access to data internally, and then also mitigate the risks with ongoing monitoring and auditing of who has access to what. One leader noted that they particularly focus on monitoring the access of employees who have changed jobs so that “only people who are supposed to have access, have access.” They agreed that they must “educate the employees working on our systems” and that “education is the first line of defense.” One leader noted that smarter tools are making it “easier to keep an eye on everything.” Another shared that it’s necessary to take training “beyond the once-per-year, mandatory training.”
• Data retention is a tricky question when it comes to risk.
  Some IT and security leaders find that colleagues around their organizations want to “hold onto” data. One executive referred to his organization as a data “pack rat.” Some leaders are performing a risk analysis with different departments to determine what data they have, how it’s classified and stored, and whether or not it’s being used. They then can define a retention policy, including legal and compliance considerations. One noted that in some cases, it seems preferable to “delete the data to minimize the risk” of holding onto it.

There is no easy answer for CIOs and CISOs when it comes to data governance. As one participant noted, “It all comes back to properly understanding your data and having good relationships with data stewards.” The proliferation of data is particularly challenging to finding efficiencies and managing data integrity. As one executive said, “We don’t have efficiencies yet – in fact, everyone wants more and more data.”

CIOs and CISOs understand the power of data, and some in the discussion are focused on monetizing data at their organizations. They agreed that “data is gold” and needs security and protection. One CISO summed it up this way: “A human firewall works better than a million dollar firewall.” 

To continue the conversation with your peers on top priorities for CIOs and CISOs, find your local Evanta Community, and connect with C-level executives from the world's leading organizations. Or, see when your local CIO and CISO community is gathering next here.