I have written this posting for the CEO and his/her Board of Directors/Advisors and not for IT/Technical management as they are only responsible for executing the Policies & Plans that their Executive Team has set forth.
According to the UK’s ICO >90% of all reported data breaches are caused by Human Error and not by Cyber Criminals or Hackers. In spite of this, the singular focus is now on Cyber Security as the means to prevent data breaches.
Data Leadership must come from the top (CEO and Board) and cascade down to the entire Organization in order to be pervasive & effective.
The worst nightmare that every CEO & his/her Board face today is not an unchecked competitive threat or insufficient market capitalization, but that of the Data Breach. Virtually every Fortune 5000 Company, Government entity and NGO has had at least one major data breach during this decade, with many having multiple “badges of shame” to their credit. Each breach, whether malicious or accidental, brings all sorts of recriminations & bad press to the Organization and its Leadership. Mea culpas and low-level IT managers falling on their swords has become commonplace and is now meaningless for the most part as the root cause of the issue continues to not be addressed; that of “The Lack of Executive Data Leadership (pre & post-breach)”.
Data, especially those classes which contain “personally identifiable information” (PII) is one of the most valuable assets that every Organization collects, stewards, exploits and protects. Without it there would be no Organization in virtually all cases and yet treating “data as an asset” is typically (if not always) entirely off the radar of the Chief Executive, the Board and the Senior Executive Team (SET). Their only concern seems to be mitigating the “risk” associated with this asset class in respect to Compliance with applicable laws, statutes and regulations. The protection of data is always left to the CIO and/or CISO who reside multiple levels down in the Organizational Hierarchy. This must end now or Consumer Trust will be lost forever in fairly short order.
Data Leadership must come from the top (CEO and Board) and cascade down to the entire Organization in order to be pervasive & effective. It defines the Strategy for managing & exploiting data over its entire lifecycle (creation, harvesting & retirement). A critical component of this management lifecycle is protecting data from unauthorized access or inadvertent disclosure. If Executives could envision data being just as tangible as cash, bonds or even trade secrets then perhaps they would be more imaginative in its protection. Every Organization, in spite of its best efforts has a very porous network of interconnections spanning their entire Enterprise. Each of these connection points is potentially a source for a breach, especially now with the influence of the BYOD movement. Once breached, these networks cannot typically detect any nefarious or negligent activity for the most part, much less PII and other Critical Data flowing outwards. It is a Perfect Storm of risk factors and yet if Top Down Data Leadership were in place appropriate resources, sensitivities, monitoring, rewards & punishments, etc. would be in place to detect, mitigate and ultimately prevent these data breach risks altogether as everyone would know that it is the #1 Priority for the entire Organization. It would be “baked into the Culture of the Organization” much less part of the behavioral ethos within it. This use of Leadership & an Engaged Culture to steward and protect critical data is much more practical than any type of Ring Fence that many are currently advocating. “Awareness and Vigilance” becomes the mission for everyone to embrace and embark on each day across the entire Organization. In most cases today data breaches go undetected for up to a year before discovered. By then the damage has been done. This would not be the case in any Organization who is so committed to the core in respect to its data.
Coping with the threat (and aftermath) of Data Breaches requires Top-Down Executive Leadership and an Engaged Culture focused on nurturing & protecting data as an asset. Investing in more Security Tools, Cyber Insurance and endless Consulting engagements will not surmount the challenge of the data breach. Embracing all of the tenants of Data Leadership is the only solution to this long-term challenge. Remember, 2015 is “The Year of Data Leadership” and thwarting data breaches is a good place to start your journey.
*An edited version of this posting appeared as an article in the April 2015 issue of Information Age (UK)