Lara Gureje (pronounced ‘gurej’) is the Founder & CEO of DatOculi LLC, a Data Governance & Stewardship Consultancy, Coaching & Training firm with its headquarters based in San Francisco.

Lara is a renowned Data Governance & Stewardship Advocate with passion for the heavily regulated industry. She is a seasoned Data Management veteran with over 20 years of experience, with 11 years experience working for the Big 5 consulting firms like Coopers & Lybrand, PWC and IBM. Lara has recently launched her own Consultancy offering where she helps organisations mature their data management practice whilst building successful cultural transformation, and fostering ethical use of data for competitive edge and insightful analytics. 

How long have you been working in Data Governance?

I’ve been working in Data Management for over 23 years in total and would say the last 6+ years is where I’ve primarily focused on Governance around data holistically. 

Some people view Data Governance as an unusual career choice, would you mind sharing how you got into this area of work?

I actually consider myself lucky on this, for me and for those who have worked with me over the years as I journeyed through my career. Data Governance is a natural fit for my personality and my passion. I think I had stepped into the role long before they knew what to call it. I kicked off my career in Europe in software development & coding. That career did not last long before my strength for data management and analytics took centre stage and that was what opened the opportunity for me to be brought over to the USA by PWC at the time. 

I’m people-centric, with a great collaborative and community-building skill set. Working with people is very natural for me as I’m able to engage people quickly where they are and journey along with them, to where they desire to be. Data Governance is a people-centric discipline that fits very well into my personal DNA. To that effect, I was nominated into the role when the opening came up in my last company, after so many failed attempts of bringing someone in, to successfully champion the governance adoption.  

In a nutshell, Governance & Stewardship around Data has given me the rare opportunity to ‘make my vocation my vacation’.

What characteristics do you have that make you successful at Data Governance and why?

I think for you to be successful at Data Governance, you obviously need to be tooled, trained and equipped well for success, this is very fundamental. However, there are some things that have to be part of your natural DNA to be successful in this discipline. I’ll call out a few that has worked for me over the years in my delivery:

• Coming from a position of pain is always a great asset for a Data Governance Leader and I can attest that this has helped me a lot. What I mean by that is that you need to be intimate with what poor data quality means and its impact on an organisation.

  People telling you the horror stories in their data is not good enough. I believe, having been at the receiving end of the lack of governance, that kept me up at night, positioned me to be a better stakeholder to champion a successful adoption. For example; my career journey, through the data management maturity and evolution over the years, started with development through Data Acquisition, Integration, Management, Analytics and Distribution. This career journey in hindsight definitely positioned me for Governance & Stewardship in a unique way than many. 

  The issues around missed opportunities and pains around data quality became very personal to me by the time I assumed full-time leadership in Data Governance.

• People skills and a great collaborative spirit is also a great asset I was able to tap into. I’ve often referred to this as a personality fit, to work for the United Nations to resolve global issues between nations with different ideologies from one another. Getting them to sign the peace accord and having this personality has to come from a deep place where its more of an art than a science.

• Rightfully messaging a good understanding that Governance is a journey and not a destination is also very important. Knowing how to start small with quick-wins and build upon success is always built into my framework. This always helps to set the right expectations and build workable building blocks for success in your deliveries. 

• Knowing to continuously build advocacy and woo community of allies to help accelerate Governance adoption journey is also something I like to build into my rhythm. Governance is a cultural transformation, the more allies to help evangelise your mission, the better it becomes and the quicker your organisation will start seeing the ROI.

Are there any particular books or resources that you would recommend as useful support for those starting out in Data Governance?

Books are good to read, but I’m one of those that believe practical Governance is what we need to mature this discipline. There are lots of books out there and cookbook ideas, unfortunately, do not work for real-life governance. If you’re going to read a book, I'll recommend, picking up something that shares a case study of what success or failure looks like. No two Governance adoptions are exactly the same as the uniqueness of each organisation, their culture and goals which will drive what governance means to them. Hence, I advocate practical Governance, not something that looks good on paper and unrealistic for your setup. 

What is the biggest challenge you have ever faced in a Data Governance implementation?

The biggest challenge I’ve seen in most governance adoption always revolves around the foundational gaps. i.e. poor understanding of what Governance is; lack or weakness of executive buy-in; internal politics; poor delivery expectations; lack or inadequacy of funding and poor leadership.

Is there a company or industry you would particularly like to help implement Data Governance for and why?

Any highly regulated industry that has invested heavily in regulatory compliance over the years, trying to leverage their investment in other initiatives, like MDM, GDPR and CCPA to pivot from compliance led data infrastructure to profit-led data infrastructure.

OR other organisations that are simply trying to drive their business growth through analytics (AI/ML). I’d like to help them position Governance around their input data to optimise ROI in their delivery.

What single piece of advice would you give someone just starting out in Data Governance?

• First and foremost, you have to be passionate about data & people.

• Don’t begin with tools - understand what Governance is all about. A tool is an enabler that has its place once you understand what governance is about. You’ll know where and when to engage the right fitness of tools as you go on.

• Get trained on Data Governance and Stewardship, find a coach or a mentor. 

• Follow thought leaderships and read case studies of governance implementations.

• Attend 1 or 2 yearly conferences to keep up-to-date with trends.

• Be patient with yourself.

Finally, I wondered if you could share a memorable data governance experience (either humorous or challenging)?

Not sure if I’ll call it humorous somewhat, but I’ve often found it interesting that a lot of organisations still fail to realise the inherent value of investing in Governance around their data asset. It's probably the best investment they could ever make to realise all of their other strategic goals. 

But, they have no problem investing in the latest and greatest technologies to work the magic on their competing demands, MDM/KYC, GDPR, CCPA, AI and other. This, unfortunately, is evident in the number of professed ‘magic tools’ out there lining up to help organisations ‘mask’ their underlining data quality issues to deliver some of these demands. Hardly a week goes by where I don’t get solicitation of companies requesting help and assistance in tool selection for one data need or the other. I find this somewhat ironic as most of these organisations have unfortunately learnt to live with their ‘chronic poor data quality’. They have bought into the promissory note of vendors telling them they don’t have to worry about the state of their data as their tool has the ‘magical whip’ to ‘bandage the noise’ in their data.

The reality is that poor quality data does not magically disappear. If you failed to create a governed and trusted environment around your data, it will continue to hunt you. You will not be able to realise the full potential of your innovative investments in all other data initiatives until you address this. 

It’s very rare that I’m able to give such a definite answer to a Data Governance question, more often than not my answer is usually ‘it depends’. Because so many aspects of Data Governance are nuanced and depend very much on your organisation's objectives and what you hope to get out of implementing Data Governance.

In this case, however, the answer is yes. Yes, you absolutely do need a Data Governance policy. That is, if you want to effectively and efficiently implement Data Governance in your organisation. Which, of course, you do, otherwise what would be the point in doing it at all?

This is a lesson I learned the hard way. When I first started doing Data Governance, I would say in the first three or maybe four initiatives that I worked on, I didn't have a Data Governance policy in place at all or not until it was too late. So, what I am really trying to tell you is learn by my mistakes! Make sure you have a Data Governance policy in place.

Learn from my mistakes

Now, the reason for this is mainly because without it, you're implementing Data Governance on a best endeavours’ basis. You're hoping that you can influence some people and enthuse them to start doing Data Governance. And, I can tell you from my experience, that sooner or later, you're going to end up talking to somebody that says, "Do I really have to do this?"

And this is exactly what happened to me. In my very early days in Data Governance, someone came to me and said: "Well it was all very nice Nicola and it was good while it was working, but that was flavour of the month and we've decided not to do that anymore." You do not want that to happen to you.

They might not be a deliberately obstructive person. But they'll be saying this because just like most of us they have so much going on that they don't have time to do everything and if they don't have to do Data Governance, then they won’t. It’s an easy one to drop off the bottom of their to-do list. So, if you have a Data Governance policy in place, it sends out a very clear message that senior stakeholders in your company have said that you are going to manage your data properly.

Remember you’re doing this for all the right reasons 

Data Governance is something that can deliver such fabulous benefits to your organisation. You do not want your initiative stopped because you didn't take the time to get a Data Governance Policy in place very early on, so I really would encourage you to do that.

If I’ve managed to convince you that you need to write a Data Governance Policy but you are wondering where to start, you can get all the information you need and a simple approach in my new short online course: How To Write A Good Data Governance Policy.

In my experience so many people seriously underestimate the speed at which they're able to implement data governance - so, when a client asked me how often he should revisit his Data Governance Maturity Assessment I thought ‘that is such a good question, I’m going to write a blog about it’. And here we are.

First things first, what is a ‘Data Governance Maturity Assessment’?

Very simply, your Data Governance Maturity Assessment is a helpful tool I often recommend organisations use to answer questions around what they are aiming for and where they are starting from when implementing a new Data Governance policy.

And, as such, doing, and revisiting, a data governance maturity assessment can really help identify what progress has been made and perhaps areas that need to be focussed on in the next phases. So, I think they are a really, really useful tool - especially as you can expect a new data governance initiative to, in my experience, take the best part of a year (and probably longer - as there’s no end to data governance) to design and implement a Data Governance Framework over at least some part of your data or organisation.

Please be aware that sometimes organisations can get tied up in “analysis paralysis” and spend inordinate amounts of time and effort on completing a maturity assessment. This is not useful, and care should be taken to only go to the level of detail needed to understand what capabilities your company is hoping to attain, plus identifying its current state.

How do I get a Data Governance Maturity Assessment?

There are multiple different maturity assessments available. As with all things Data Governance I prefer a simple approach and you can download a very quick and easy Data Governance Health check questionnaire for free here. If a more detailed assessment suits the culture of your organisation better, I recommend you look at the freely available maturity assessment published by Stanford University. Sadly, they recently removed their assessment from their website, but Alex Leigh has created an excel spreadsheet version that you can download from his website.

It is only after you have gone through the analysis outlined above that you will be in a position to estimate how long implementing Data Governance is going to take in your organisation. Now clearly the timescales are going to vary. This doesn’t mean that you won’t be able to deliver some quick wins during this period, but it will take a reasonable amount of time and effort before your Data Governance Framework starts to deliver value on a regular basis.

So, I have my Maturity Assessment - how often should I look at it?

The timing is going to be important after all you don't want to be revisiting your Maturity Assessment too often because, actually, nothing will have changed in the passing time and all you will end up doing is bugging people. And, even if you use a very light touch Data Governance assessment tool, you're still going to be bugging people and asking them for their time. You don't want to do this unnecessarily.

What I recommend will depend on your circumstances, but definitely no more frequently than six-monthly, because in my experience, not enough will have changed to make it worth the effort of doing that - so I would say six-monthly, or maybe yearly.

I think you need to have a look and understand what's been moving on in your organisation and whether it's worth doing it again at this point. But, one thing I would also say is, when you're looking at the results of a Data Governance Maturity Assessment don't take all of them to mean that you've not accomplished anything.

Sometimes you've done the hard work and revisiting a Data Governance Maturity Assessment and asking for new responses is a really good measure of how well you're communicating.

I can't tell you how many times in the past - particularly in the early days - I've had results back and being devastated because I thought, well, we've done that bit already. ‘Why are they saying there's no data owners in this area as there clearly are?’ And, then when I take the time to take a step back and think about it, I realise that actually… we've done the work as a Data Governance team. But what we hadn't done was communicate it to the wider audience.

And, Data Governance doesn't work unless everybody's on board, you need to make a sustained culture change. You need lots of comms for that. So, Data Governance maturity tools are very useful tools when used correctly, and just don't do them too frequently. 

I hope that was helpful and don't forget if you have any questions you’d like covered in future videos or blogs please email me - questions@nicolaaskham.com.

Or if you’d like to know more about how I can help you and your organisation then please book a call using the button below.

In this Data Governance Interview I spoke to Ed Mathia. Ed is a Data Scientist who learned very quickly that data quality is paramount, and that the processes to make data right the first time increases its value.  When he finds incorrect data he works to change the data source to ensure the company has good information and makes good decisions. I’ve always enjoyed my conversations with Ed and in particular love his analogies when explaining Data Governance.

How long have you been working in Data Governance?

About 15 years ago, I became the Specification Manager for a semiconductor materials manufacturer.  My team was responsible for keeping the product specifications for the company.  The old timers used to say that a specification mistake released to production was equivalent to buying a house.  We recalculated when I was there, and a mistake could easily be 2 million dollars - that is a nice house.

Some people view Data Governance as an unusual career choice, would you mind sharing how you got into this area of work?

I have heard people talk about Data Governance as an unusual field, but I think that we are just early in the curve.  Data Governance reminds me of the Quality profession twenty years ago.  Companies understand Quality now, but it took Toyota and Motorola to show the benefits of great quality and the ISO-9000 standard to show the right processes.  I think twenty years from now that viewpoint will be strange.

What characteristics do you have that make you successful at Data Governance and why?

I think it is critical to have a good understanding of data science and machine learning.  Companies have so much data, stored in a variety of systems, that it becomes hard to find the fixable issues and the impact of the issues on the business.  It is a lot like a Magic Eye poster.  If you don’t know how to look at the 3D image, then all you see is the repeating horizontal pattern that looks like nothing.  With the right pattern matching techniques, you can resolve the special 3D picture.  Finding those patterns in the business data means you can fix the right problems based on the impact.

Are there any particular books or resources that you would recommend as useful support for those starting out in Data Governance?

Nicola, I always found that your coaching calls are the most useful support.  Books like the DAMA manual are great, but they are generic and don’t help with the specifics of communicating with your company.  Being able to ask specific questions, to draw on your vast experience and get options very quickly is extremely helpful.  I always found the coaching sessions to be like Christmas - I look forward to them for a long time but they are over too soon.

What is the biggest challenge you have ever faced in a Data Governance implementation?

As in most areas of life, communicating the need for change is one of the biggest challenges.  Everyone knows that bad data causes pain and has to be fixed before getting the right decision.  Companies accept the pain when they think it is a small, easily-fixed issue - like a paper cut.  But if everyone accepts little inefficiencies in the data then you have a big problem.  A piranha only takes a small bite, but a lot of small bites can do a lot of damage.  That is why I think it helps to have a good understanding of data science.  It is hard to find the inefficiencies spread through the company but it is possible -  using data science I found 6 million dollars of expedited shipment fees and one hundred thousand hours of productivity loss due to poor master data settings.

Is there a company or industry you would particularly like to help implement Data Governance for and why?

I think one of the most beneficial areas are company supply chains.  In the US, financial services are awaking to the understanding of the need for data governance, but supply chains aren’t seeing the need yet.  However, every dollar the supply chain saves impacts profit directly, while financial services are predicting which customers and products might be successful.  Manufacturing is a field ripe for harvest.

What single piece of advice would you give someone just starting out in Data Governance?

Hang in there even when things seem tough.  Everybody is hoping to hire a pharmacist who will give them a pill to make them skinny.  Data Governance folks have to be personal trainers telling clients they need to eat right and exercise.  Even though it is the right way to lose weight, they won’t want to hear it.  Hang in there and be consistent.

Finally, I wondered if you could share a memorable data governance experience (either humorous or challenging)?

I once saw a data field that took on opposite to its original intent - sort of like the word “dust”.  Dust can mean either add or remove fine particles depending on whether you are talking about cleaning the house or making powdered donuts.  When I was managing the specifications at a silicon wafer manufacturer, one specification was how close to the edge the backside seal had to extend.  Several application engineers chose to check the “Edge-to-Edge” process specification instead of putting in the number of millimeters from the edge the seal could extend.  They were thinking that the “Edge-to-Edge” process sealed all the way to the edge, but it was actually a 15-year-old process that had the worst sealing coverage.  It really shows how important data governance is.  It would have been much clearer to focus on the specifications on the customer needs rather than which process to use.  Then the process could change as long as it met the customer's needs.  Specifying the process meant that we couldn’t give the customer a better product when new processes came along.

You can find out more about Ed and connect with him on LinkedIn by clicking here.

As you know, I’ve made it my mission in my videos and articles to answer all your Data Governance questions and queries, but quite often the answer is “it depends”. And that's because Data Governance can be applied differently, depending on the individual set of circumstances. But this is definitely not one of those situations.

What is Data Ownership?

Data Ownership is an important component of Data Governance. I believe that there is no such thing as a standard Data Governance framework. But I do believe that there are three key things you have to include in your framework for it to be successful: a policy, processes and roles and responsibilities.

Data Ownership is part of the roles and responsibilities. Trying to find a clear, simple definition for Data Ownership on the internet can be hard, but it is not a complicated concept. It's just about finding and engaging the right people in your organisation to be accountable for one or more sets of data. This covers such things as the quality of the data, the definition of what the data means, where it is stored and what it is used for.

Who should be a Data Owner?

Data Owners are senior stakeholders within your organisation who are accountable for the quality of one or more data sets. That sounds nice and simple, but this covers activities such as making sure there are definitions in place, the action is taken on data quality issues and Data Quality Reporting is in place. 

To be suitable to be a Data Owner, they have to be suitably senior in your organisation. They need to have the authority to make changes and also have either the budget or resources available to them to undertake data cleansing activities. If they don't have that authority and resources available, they won't make an effective Data Owner. 

Data Owners in larger organisations also usually nominate one or more Data Stewards to help them with these responsibilities.

So, can there be more than one Data Owner per data set?

Well, I feel quite categorically from my many years of experience that you really cannot have more than one Data Owner per data set. It really doesn't work, and I don’t recommend you try it. There’s no exception to this rule (believe me, I've been there, done it, still have the scars). What you need to do is find one senior person within your organisation who is going to take overall accountability for that data, wherever it is within your organisation.

Now, if you have maybe two or more interested stakeholders interested in the same data set, what you have to do is get them together and draw a conclusion as to who is the most appropriate person to own it and the other to be key stakeholders.

Another even better option is to consider splitting that data set into subsets until you find a way of splitting it so that everybody's happy that they are owning and responsible for the data that they really should be. Doing it any other way, I can guarantee you, is not going to work. It's going to cause you loads of pain and is going to result in people telling you that this Data Governance doesn't work or doesn't help them. So, I really, cannot stress this enough - you should only have one data owner per data set. It's better to break your data sets down into smaller pieces so that you can achieve that.

I hope that this was helpful and don't forget if you have any questions you’d like covered in future videos or blogs please email me - questions@nicolaaskham.com.

Or if you’d like to know more about how I can help you and your organisation then please book a call using the button below.

I've been lucky to work beside Alex Leigh with a number of clients over the past few years and love working with him as our skills sets are complimentary. Recently I've received a lot of questions on Data Sharing Agreements and I thought that Alex would be the best person to shed some light on this topic. This is what he had to say:

What are data sharing agreements and where do they fit in a Data Governance framework? On first analysis, it’s not obvious that they do! However, they are relevant when we consider the scope of that framework.

The production, manipulation and use of data outside of our organisations are often forgotten when considering data quality. We focus on internal ingress points which are mostly controlled through our own stewards and producers.

This can be a dangerous assumption as external data is far more common than we might think. It fits into two distinct areas:

- Additional data sets. These are often paid-for datasets which augment or enrich what an organisation internally holds.

- Collaborative data sets. These are mostly found in areas of shared working with other organisations. Research data is the most common of these.

A data sharing agreement (DSA) can be thought of as a data ‘passport’ assuring the quality and integrity of the flow between external and internal organisations.

This all sounds promising until we realise there is no standard data sharing agreement. This isn’t surprising when you consider the breadth of any such document. It may have a very narrow focus on data quality or a wider one including security, frequency, single or two-way flow etc. So we can see a DSA must be aligned with the business value of the data being shared.

Regardless of the breadth, any successful DSA must include:

- Quality rules and tolerances. This covers off exactly what data we are sharing, what quality expectations (both schema and business rules) are we ‘signing up’ too and how that quality is being jointly measured.

- Accountability. The bedrock of any DSA! Who is accountable for the data and at what point – if any – does this change from the external to the internal organisation.

- Breach protocols. How is that accountability used in an operational environment when the quality rules are breached?

To meet these three criteria, any DSA needs an agreed measurement and management approach. Without this, it is nothing more than a worthless paper exercise.

Now we’ve established that creating and managing a DSA is an important consideration in any Data Governance framework, where do we start? We recommend two approaches; firstly see what is being used at the moment in your organisation. It may not be fit for purpose, but it will be a basis to build on.

Secondly, consider talking to your Data Protection Officer. While the DPO will be focused primarily on Data Privacy Impact Assessments, they will have experience of working with external organisations and their guidance will certainly support you in developing new DSA’s.

You may even be able to integrate the quality and associated criteria into existing documents and processes. This is an excellent example of where Data Governance can be in support of organisational capability. And that can only be a good thing!

In summary, a DSA is not a ‘quick thing’. It needs careful consideration both in terms of development and how it will operate in practice. Done properly though it will extend your Data Governance framework outside of your organisation potentially saving much time and frustration.

If you'd like to know more about how Alex and I can help your organisation implement Data Governance (and get DSA's in place) please get in touch here.

First of all, you might be wondering to yourself, what is the ‘three lines of defence’ model? Well, it's something that is commonly found in financial services companies, but I have seen it elsewhere, and is typically made up of exactly three lines of business.

So first of all, think about what the first line of defence is considered to be in your business. Generally, this includes the people who do whatever your organisation does: whether that's making things, selling things or running a bank or an insurance company - they're the people doing what your company does.

The second line of defence are the teams that tend to set the rules by which the first line run the business. So, these are people like your Legal team or your Compliance team. They're the people interpreting external regulations and working out what your company has to do in order to comply with them. These teams will also include operational risk.

Now, the third line of defence is where you have your audit. This is either an internal or external audit, which scrutinises the first line of defence who are running the business and makes sure they are doing their jobs in accordance with the rules and policies set by the second line.

So, now on to the most important question - where does Data Governance fit in all of that?

Well, that’s a really interesting question and, you may be surprised to learn that I'm not sure it does nicely fit with this. However, since I have done a lot of work in financial services over the years, this is something I've had to figure out a number of occasions.

I think it's fair to say that more often than not, data governance ends up somewhere in amongst the second line of defence - often sitting alongside an Operational Risk Team. 

Now, it works pretty well there, as long as you remember that a data governance team doesn't just write the rules and then toss them over to the business to comply with. A data governance team is very much supporting the first line to write their own data rules. So a data governance team isn't really writing the rules at all, they're helping and facilitating the first line in writing their own rules.

It’s subtly different, and I have worked for a few organisations that have described data governance as perhaps sitting somewhere in the middle of the three lines of defence, around "one-and-a-half", rather than data governance sitting purely in the second line or purely in the first line.

There is another way of thinking about it. I was discussing this with an Operational Risk Director working within one of my clients fairly recently, and he said he felt that perhaps there was a 1a) and a 1b) in the first line of defence, whereby 1a) are the people doing the work and 1b) are perhaps the data governance team, because they don't set the rules.

Therefore, perhaps it should be considered that the data governance team are sitting in the business helping them run better, but that they're possibly considered 1b) because they're one step back from doing the business itself. They're just helping the business run better by helping people manage their data better.

Don't forget if you have any questions you’d like covered in future videos or blogs please email me - questions@nicolaaskham.com.

Or you’d like to know more about how I can help you and your organisation then please book a call using the button below.

This week I am very pleased to welcome Alexander Akinjayeju to write a guest blog. I mentor Alex through the DAMA UK mentoring scheme. He has an extensive background in Data Security and has moved into Data Governance. When helping clients implement Data Governance I often end up liaising with their Data Security Team. During our mentoring calls we have discussed the relationship between the two data management disciplines and Alex explains it so well that I asked him if he would be willing to write a blog on the topic:

Cyber security is the sexy term for information security; it may also be used inter-changeably with other scope specific areas such as IT security or digital security etc. The keyword here is “Security” of information in whatever format or scope it is presented be it Cyber, Digital, IT etc. For the sake of this write up, I shall use the generic term “Information Security”.

Information security discipline can be seen as a science or as an art depending on your point of view or context.

Science is defined as “A systematically organised body of knowledge on a particular subject” while Art on the other hand is defined as “A skill at doing a specified thing, typically one acquired through practice”. A core concept in Security is the threat of an “enemy” willing to steal, disrupt or otherwise make information invaluable.

Information security is an organised body of knowledge (Science) on the protection of information, often involving fighting wars with internal and external enemies (Art).

The subject of Information Security concerns itself with the protection of the Confidentiality, Integrity and Availability attributes of Information assets.

Data Governance (DG) is defined in the Data Management Body Of Knowledge as “The exercise of authority, control, and shared decision making (planning, monitoring and enforcement) over the management of data assets.” It is part of a larger discipline that has traditionally been called enterprise information management (EIM).

What’s the link between Information and Data you may ask; the illustration below sums in up.

Knowledge and information is everywhere, it is converted into multiple formats such as data, audio, pictures etc for usage. Data and inherently the information it conveys is used in business processes and interacted with by humans, transported through physical papers, computer hardware and networks and stored in computers (files, applications and databases) throughout its life-cycle. Data is also now being extensively used in Artificial Intelligence and machine learning to create new devices and tools while at the same time driving process efficiency across all areas of human endeavors.

There is no gain saying that Data is valuable to many organisations including non commercial ones such as the military or public services, particularly more so in the current digital age revolution where Data is said to be the “New Oil, we even coined a new word “Big Data”.  The illustration below shows the volume of data that was created every sending of the day in 2018.

The implication of this amount of data is that it drives the global economy which makes one to conclude that there is a lot of value in the data; traditional industries including banking and finance have been disrupted while completely new industries have sprung up in recent years, for example, Uber and AirBNB did not exist 10 years ago, neither of them own physical assets in their operating model; Uber’s revenue was over $14 billion in 2919 and AirBNB is valued at $38 billion. Guess what? Data as their main asset!

The remit of Information or Data Security is the protection of  the value of Information and Data assets!

There are a few stressful periods in the working life of a security executive

1.       Annual ritual of budget planning and decisions on the allocation of scare resources is a very stressful time for business executives involved in the process. The process involves a lot of data, numbers and logical articulation of projections for the coming year, this is about cost of security. However oftentimes the value of the data to be secured/protected is not often included in the discussion.

2.       Initiation of  strategic security programme either as an improvement or as a complete green field setup. These programmes are often driven either by compliance obligations or as a result of audit findings or general information security risk management.

3.       Identification and location of critical business data, the level of control required and the amount of resiliency required to ensure business continuity when disaster strikes. In order to search for an item the minimum requirement is that you know what you are looking for, perhaps a description or characteristics and other specific features.  

Prioritizing the most effective controls to deploy within the constraints of defense in depth principles. This challenge is premised on the fact that resources will always be limited, even nation states don’t have a bottomless pot of resources. It’s also a fact that some data and applications are more important and sensitive than others. When we prioritize there is always an opportunity cost of the things we forgo, therefore we want to ensure that we are choosing the right assets and controls to protect and deploy.

As you can see from the above list of items, none of the items are exclusive to the security function. At the heart of it all is the “Data” that need to be secured, if we don’t know the attributes such as characteristics and description, we cannot find it; if we don’t know its importance or criticality to the organisation we cannot apply a commercial/financial value to it neither can we prioritize it neither can we know whether it is within a compliance scope.

The Chief Information Security Officer and his team does not own the Data which it is expected to protect, he/she doesn’t know its relative value, nor does the team understand the risk appetite or tolerance of the firm without active collaboration with the business or stakeholders. The Security team cannot define the security attributes or level of protection a Data Asset requires.

The consequence of the above is massive! It causes either an inadequate or over investment in security, opaque decision making process, false sense of security, misuse of limited resources protecting low value assets at the detriment of critical assets as well as poor business resilience and disaster recovery planning among others.

The answer to all of these can be provided by Data Governance programme or function.

The need for collaboration between Data Governance and Cyber Security team is often critical particularly of Data Loss Prevention projects. It is an indisputable fact that modern businesses have a lot more data and data channels to contend with both structured and unstructured. Data is ingested from multiples sources and may be found on on-premise servers, in Cloud apps and storage, on users devices including mobile devices and smartphones and many more locations – the dispersal surface is forever widening. It is inefficient and way more expensive to expect the security function to effectively secure all data regardless of their sensitivity as their criticality is not known, part of the consequence in the high level of Data breaches frequently reported in the media, as resources are spread too thinly rather than focusing limited resources on the “Crown Jewels”

In my professional career I have seen time and again on different assignments that a lot of organisations don’t know where their critical data are stored, they have no understanding of its flow within the business or what business processes interact with them. These are the everyday issues that security people have to content with and often playing piggy in the middle between different departments to arrive at ad-hoc conclusions and decisions on data attributes. This approach leaves the business exposed to risks on many fronts

The Data Governance function would help Data Security function with the fundamental question of Data Attributes, it will provide the details of value to allow logical decisions to be made around managing security risk to the Data. In return the Security function will assist the DG function in deploying and operating controls to enforce its principles, policies and standards as well as monitoring for compliance. It is a WIN! WIN!

I recognize that Data Governance function is relatively young and evolving however, Information security function will do very well in engaging and collaborating where they exist, wherever possible the CISO may even suggest the establishment of one within their organisation.

I hope you found this useful. You can find out more about Alex on his LinkedIn profile.