In recent years, data has been called the new oil for its ability to create wealth. But only the lucky few find they are sitting on a big oil well. By contrast, every business produces a treasure trove of data.
Chief executives and boards are scouring company data for nuggets that will boost revenues, whether it’s by finding an exciting route to market, moving into an adjacent area, or taking costs out of their operations. With developments in artificial intelligence and machine learning offering ever more effective ways of analyzing data, businesses are racing against the clock to get ahead of their rivals and gain a competitive advantage.
But data must be handled with care.
With record fines imposed on businesses in Europe and the U.S. for mishandling data, it has become clear that there can be huge costs associated with data. Data is susceptible to cyber theft and unless it is carefully managed, can lead to breaches of privacy law.
Most companies are gathering as much data as they can. As chief information officers (CIOs) and chief technology officers (CTOs) are under pressure to unleash data-driven innovations, the chance of a data breach or cyberattack is likely to increase. The CISO can feel like a block on business development, always pointing out the risks of the latest whizzy suggestion and losing hair and sleep.
More Data, More Risks
A data innovation could involve using personally identifiable information from customers. From targeting existing customers with products tailored to their needs to sending out marketing materials, a CISO would worry about whether this complies with tough privacy regulations such as GDPR.
An innovation may involve overlaying the company’s data with data from a separate organization. Control of the data passes out of the hands of the business and depends on another organization.
As the amount of data that a business collects balloons, pressure mounts to outsource the processing and storage of that data to a third-party data center – the cloud. Storing sensitive data on the cloud further removes control from the company, and there’s the possibility that it will be intercepted, corrupted or misused.
At the same time, every increase in data collection and processing puts further pressure on the cybersecurity team. More data and more network activity ramp up the number of security threats that need analysis. To do that, extra resources and computing power are needed, which will mean using cloud services.
The CIO and CISO find themselves locked in a strange dance, each pushing against and pulling away from the other. The cybersecurity operation needs to analyze and correlate ever more data and requires increasing storage and processing capacity as it reacts to alerts and threats. The CISO will ask the CIO for greater data capacity. But the CIO is pressured by the board to use any spare capacity to develop innovations in the use of data that bring in new revenue streams.
When Data and Security Collide
A classic example of the governance issues facing data-driven innovation is traffic mapping service Waze. This mobile app has revolutionized navigation on the roads, taking data that nobody else considered monetizing and turning it into something valuable. Waze uses the data from the smartphones that drivers take into their cars to analyze the telemetry and learn how fast the car is moving and in which direction. This allows Waze to map traffic flows and direct drivers away from congestion, enabling them to find the fastest routes to their destination.
You can understand how the outlook of the CIO collides with that of the CISO. The technology chief cares about getting data from drivers’ phones to aggregate it and understand traffic patterns. But for the CISO, this is a security nightmare. Grabbing data from individuals’ phones to look at traffic flows is a potential breach of privacy. The CISO will want to know at what point the driver’s personally identifiable information – where they are travelling and at what time – becomes public data as it is aggregated. The CISO has to insist the data is anonymized – the app cannot say a someone is driving down a certain street at a given time.
Meanwhile, the Waze app raises a host of security issues. If you put software on people’s phones, you have to ensure that no one can hack into it. When the data is sent back to the central server, it must be encrypted and secure so nobody can hack into it mid-transit and no-one can misinterpret it or misdirect it.
These issues appear to have been resolved though there have been reports of security breaches with the app. In 2014, students hacked the app and conjured up a non-existent traffic jam. Waze, owned by Google, promised to look into the issue. In another hack in 2016, a researcher claimed to have found a vulnerability which lets hackers spy on users’ movements. Waze disputed this and said it would take steps remove any chance of this happening.
Audit All Your Data
The tension between CIO and CISO is emblematic of the shift we are witnessing across the economy. Before Waze, satellite navigation systems collected data using their own infrastructure. It was all about internally-owned data gleaned from monolithic infrastructure. Now there has been a shift is to public data where there is no need to make a big capital investment but simply to use people’s smartphone data in creative ways. The way data is freely uploaded, downloaded, passed from company to company and sliced and diced in multiple ways has created a whole new set of security and privacy challenges.
Boards of directors must bear in mind the challenges facing the CISO when considering how to leverage their data to find new routes to market or to innovate.
To adequately secure the organization, the CISO must undertake a rigorous audit of all the data that flows through the organization, both internal and external. The audit must find out where all the data is stored, who has access to it and what they do with it. This is a massive task as many organizations struggle to create an inventory of physical assets, let alone liquid and moveable resources such as data.
Once a full data audit is completed, the next challenge is to decide who should have access to which bits of the data and how that should be monitored and enforced. This is a struggle when the amount of data is constantly increasing and being used in different ways.
One solution is to create a zero-trust network. This assumes that no one who uses the organization’s data can really be trusted to keep it safe. So, everyone’s access is restricted purely to the activities they need to engage with. For example, finance staff can only access finance data.
The CISO also has to become best friends with the CIO and say: “Look, when you start looking at something new, you need to tell me so I can think about the security implications in parallel.”
If the CISO is not on the journey to innovation from day one, they will always be behind the curve. An innovation may be introduced before the CISO has fully factored its use of data into the audit. Otherwise, there is bound to be conflict with the CIO and with the company board.
Like oil, data can bring great wealth. But businesses must bear in mind that data also has the potential to wreak havoc. They need to empower the CISO to keep data safe while continuously driving innovations.