The connection between data governance and cybersecurity might not be immediately apparent. But if one considers the ‘5 knows of cyber’, it becomes obvious that cybersecurity is all about data, and data is all about information, and we want information to be secure.
I use the ‘5 knows’ as the foundation of our data governance framework, because it really helps people to understand why data governance is important and how it can help them. And if people can understand the why then they can move towards controlling their data more effectively. And once we move towards managing our data then we can start to manage information.
Cybersecurity is very much a team sport, it is a collaboration between teams – Data & Information Governance, Cybersecurity, Risk Management, IT Operations, and the business units. There is no way any single group can manage security, especially with the emerging threat landscape.
But the fundamentals of data governance are an essential starting point for the collaboration:
- policies, standards, procedures and guidelines for data governance
- governance groups to coordinate activities
- data classification
- data handling guidelines
- system classification
- an information security management system
I’ve been reflecting on the past year and one big focus area was data governance. Rolling out a data governance program along with an Information Security Management System (ISMS) is a big job for a large and complex organisation, and it is a multi-year project. We are in year two of the data governance program and over the past few years there have been a number of lessons learned.
It is all very easy to throw up one’s hands and say that it is all too hard, that data wants to be free, or that governing data is impossible. Yet to enable new ways of analysing data (and dare I say it, big data) we must work out how to do effective data governance.
Tips for getting a data governance program started
- Clarify your mandate. Get your policies and procedures sorted out early. An official policy clarifies your mandate for running the data governance program and can assist in obtaining buy-in. My starting point was a definition:
“Data governance is the organization and implementation of policies, procedures, structure, roles, and responsibilities which outline an enforce rules of engagement, decision rights, and accountabilities for the effective management of information assets.”
Source: John Ladley, Data Governance: How to Design, Deploy and Sustain an Effective Data Governance Program, 2012
- Setup an effective governance structure. This seems like an obvious thing, but many organisations struggle with this. Getting the right structure setup and the right people involved is critical to success. I have setup a Data Governance Steering Committee (DGSC), which has oversight of the entire program, with cross-organisational executive involvement, and it has been very important in obtaining credibility. The DGSC is supported by another Committee, which takes a more hands-on day to day role in deciding how we manage data across the organisation. We also work closely with IT, Privacy, Procurement, and Legal to ensure that they are involved in the data governance program.
- Make a start. Typically in a large organisation it can be daunting to consider data governance and to know where to start. Find an area of the organisation that has some willing people and just get started. This lets you demonstrate success and leverage that success to get the next area of the organisation involved.
- Take inspiration from other organisations. Don’t feel the need to invent data governance from scratch. Talk to other practitioners – they’re usually delighted to find a fellow traveler. Find groups where data and information governance folks hang out, like The Data Governance Institute: The DGI, Information Governance ANZ or the Data Management Association Australia (DAMA). The kind folks at DG @ Stanford University were particularly helpful to me in the early days.
- Ignore the vendors. there are a plethora of vendors who say they have solutions for data governance. Ignore them. It is not about the tools, it is about practice and culture.