I recently met with Jim Orr, author of Data governance for the executive, to try and understand what he meant by that term.
The book was released last October and I began by asking him what he meant by data governance and security and how the two work together. He said: “I think the biggest thing with security is that with governance you've got all these custodians throughout the organisation. What they do is they bring visibility into a variety of different operations, processes and activities with the data that is not visible, unless you've got that type of environment of which to capture in.
“We know that somebody over here is using spreadsheets to run core business operations and we know that it's a shared server, but all of a sudden it becomes invisible. We understand folk are taking stuff home on their laptop that maybe they shouldn't, all that different type of stuff. So it's that type of security privacy that starts to enhance and mitigate the risk around a breach.”
So if that concept doesn't make sense, I asked Orr if data governance is something that businesses and IT managers are particularly aware of, or if they knew about the challenges around it?
He said that we are at a point in the evolution of data governance where organisations are becoming very aware of it, and, while they do not necessarily know what it is, everybody's got a different perspective of it.
“The core of the book is about demonstrating a holistic value in governance, and presenting it to executives and legislators so they understand it. When it comes to security and privacy, the value there obviously is mitigated risk; the Ponemon Institute said in 2010 that the average breach is going to cost £5.1m, I think.
“So you go back to the custodians and stewards who can bring visibility to it and mitigate their risk. The Ponemon study also found that over 40 per cent of breaches are attributed to business partners. So, where is the data strategy around doing business with business partners? That's where governance comes in as well. So governance can come in and help, you know, be the framework and the body for establishing what that data policy should be, you know, with business partners.”
Asked if that relates to the ownership and knowledge of the data, Orr said yes – it is a case of knowing what you've got. So I asked Orr if he saw data governance as a kind of concept, or as a technology or policy, or as a combination of all three.
He said: “It's a discipline, and it's made up of both business process that defines and manages a data policy, as well as technologies that implement that policy. So that's kind of what governance is, at least in our mind.”
Moving on to data loss, I cited a recent conversation with information commissioner Christopher Graham in which he said that there needs to be awareness among staff of the sensitivity of data. So does that come back to data governance?
Orr said: “Absolutely, and the governance plays into the role of developing that policy for the organisation. A lot of organisations are coming up with formal education programmes on how you handle data. I mean my company does that, but there's a lot more of that going on, and it doesn't just hold true with the companies who have historically dealt with the real sensitive data, but it's across the board.
“A lot of commercial enterprises are now saying, 'You know what? We've got data, we might not know how to manage this, but we're going to start here, and here are the education tools we're going to use for it.'”
Asked what businesses were saying to Orr, he said that understanding of data governance was immature.
“It's only covered a small piece, perhaps data domain, or whatever the case might be. Some have tried to do it and haven't done a very good job of it. What we have tried to do with the book is raise that awareness, give them fundamental concepts for success with a variety of different things and say, 'If you want to go down this road, be prepared for it', and there are ways to do that, and there are ways to be successful, and we try to offer up as many as we can,” he said.
“Typically it's not brand new, but it's helping them shape their ideas around it and their concepts and put it into a mindset that they can actually be productive with it. So, you know, if you're going to go to your executives and you want to do a business case around governance, these are the things you need to think about and how to position it.”
Orr said that it is about more than best practice, it is about getting an organisation to believe in their best practices. “Let's not just do it because somebody says we ought to do it, if this all makes sense then let's go forward with this,” he said.
So what would be a good first step for data governance? Orr said he would go right to the top, but not until he had a really solid business case – what the book outlines – specifically how to identify that value and take a look at the whole picture and what the potential might be for the organisation.
“I'm not saying you have to implement it holistically, I'm just saying when you identify your business case on a single project, it's not normally as compelling as it can be as if you look at the whole picture,” he said.
Orr added that the number-one question he kept getting asked was: "How do you convince business leadership of the need for data governance, because the practitioners, the people who are in the trenches, they need to govern this environment on a number of fronts?" He also said that identifying business value was a challenge.
“Organisations are struggling with that, so I felt like I needed to write the book to bring clarity to the discipline, and then, number two, identify the value in ways that organisations can apply that. At the end of the day, I just felt like there was a lot of confusion, and I wanted to try to bridge that gap.”
In terms of implementation, it is often bad news that starts a good programme or causes change' Orr said that a governance programme is the eyes and the ears of the organisation when it comes to information assets and understanding and preventing situations, because technology can only do so much.
Whether you see something like this as a buzzword, a technology phase or a pitch for a technology, it all amounts to taking data security more seriously. Orr's point that these things have to start at the top of a company with a strategic plan should ring true though, and data governance can be one part of that.