While it has always been important for organizations to keep track of their data, it has never been more critical than it is today. There are many reasons why, including cybersecurity and data privacy concerns, the proliferation of both international and state laws, the relentless growth of data and the endpoints that access that data, and the increasing use of data for advanced analytics. Today, data is often considered the most valuable asset of an organization, used to make strategic, tactical and operational decisions.
Keeping track of all of these aspects of data is the job of data governance. At its core, data governance requires controlling all data to meet legal, regulatory, risk and business demands. According to a recent Gartner survey, data governance is now the top concern for chief audit executives, over cybersecurity preparedness.
With all of these changes, it may be time to revisit your company's data governance approach—if your organization has a data governance policy in the first place. A recent Osterman report found that about one-third of midsize and large organizations don't even have an information governance program, although most are working toward that goal.
Changing business systems and priorities are other reasons to consider revamping your data governance approach.
"If you had a no-cloud strategy before because you were worried about security but have since moved workloads to the cloud to get more value out of your data, your governance policy may not be as complete or relevant today," said Michele Goetz, a vice president at Forrester. "Often, policies need to be reviewed when an organization becomes more insight-driven, or after they have invested in modernizing data platforms and architectures."
Here are some tips for updating your data governance approach:
Don't consider data governance an IT function; it's essentially a business function. Scott Hurdis, head of data governance and strategy for AIG, a large New York-based insurance company, learned this on the job. After talking to peers and former colleagues in other organizations and industries, he knew that was the approach he needed to take with AIG. About two years ago, he did just that.
"Data management is moving out from underneath the CIO to the business itself; business units understand their business problems, and they can tell IT what they need to accomplish so IT can find the right technology to do it," he said.
Moving data governance to the business side also solves the cost center issue. "IT always has to find a cost center to charge their time to, but if it's on the business side, it's just part of the job," Hurdis added.
Keep your scope as broad as possible. Typically, data governance leads to "data lockup," a defensive approach that aims to ensure compliance with every applicable regulation. While controls are important, this approach, if too stringent, puts so many restrictions on data that it becomes unusable.
"In addition to being about risk mitigation and regulations, data governance also should be concerned about getting value from data," Goetz said. "It's important to strike the right balance."
Streamline your data processes, and purge data within the limits of the law. More than half of data at a typical organization is stale, meaning that it is no longer needed by the business or required by regulations. Much of that is sensitive data. By discovering data routinely—collecting data from all relevant sources, including paper data—organizations will know what's stale, and what they can therefore eliminate.
"Descope (purge) the data unless you have a reason to keep it, because that extra data makes you less effective and more at risk," said Mansour Farani, senior governance risk and compliance consultant at Insight Enterprises.
In addition, Farani recommends anonymizing data through tokenization, which removes identifying information while allowing organizations to retain it for other purposes, like analysis.
Don't rush your data governance overhaul. Do it right, not fast, Hurdis said. "Think about trying to get an old manuscript off of a Commodore 64 and onto your tablet. Short of retyping it from the screen, how are you going to do it? You have to think about all of the steps you need," he said.
It's the same with data governance. That may mean taking smaller steps, which also fits nicely with the agile approach that IT probably wants to take. "It's OK to deliver the minimum value now instead of trying to jump to the end state," Hurdis added. "It's better to deliver something of value after a few months instead of delivering it all at the end of a three-year project that may or may not get there."
Don't forget about the human factor. According to one report, every employee, on average, has access to 17% of all files containing sensitive data in their organizations.
"When an executive is under time pressure, he might save an Excel file with sensitive data on his desktop thinking that as soon as he is finished, he will delete it," Farani said. It happens all the time, he said, resulting in data being dispersed throughout the organization. If that executive doesn't follow through by deleting that file on his desktop, it will end up in a general backup, making sensitive data available to anyone in the organization.
Circumventing this problem requires a thorough and frequently run data discovery program. It also requires awareness training for employees about how to handle sensitive data, not only when an employee is hired, but routinely after that.
It's not all about tools. While automated tools will help with much of the process of discovery, for example, it won't do much for finding data still stored on paper. That takes manual work. At Insight, for example, consultants interview all key personnel areas in an organization and ask them what they consider sensitive data, how they handle sensitive data, where they keep physical copies, how they protect physical copies and how they dispose of data that is no longer needed. "It's really a combination of automated tools and manual intervention," Farani said.