IIA recently published a free eBook and longer research brief (note: the brief is only available to IIA clients) on Creating a Data Strategy; included is a 10-step framework that provides organizations insight into what’s needed to build a comprehensive plan that will address the critical questions of how to improve the availability, timeliness, and quality of data. Now more than ever, organizations are becoming more intentional with the use of its data and more focused on stating the objectives for data usage as well as scoping needs, outcomes, and opportunities. However, pulling it all together into a document and socializing across the enterprise is a challenge. One critical part of a data strategy entails assigning roles and responsibilities so that there is a clear understanding of who owns what and when there’s an issue, a clear chain of command and ownership has been established. While IIA won’t tell you where to place certain titles, working through a data strategy will help you surface the right discussions in your firm.
When thinking about a use case for a data strategy and why it’s important to have the right people in the right roles, one example can be the Ryuk ransomware that attacked businesses and hundreds of US hospitals last month. In terms of data governance and data security roles, it can be assumed that those that had a data strategy in place and had specific data roles assigned -- or the semblance of a data strategy -- fared much better than those who did not. This led me to question how civic and private organizations address data breach issues and who is typically on point, who would be assigned to that role if there was an established data strategy. My assumption was that a CISO was in charge but after a couple quick searches, it was clear that this wasn’t an easy answer as more and more data related roles have started to overlap in responsibility and scope.
When looking at the civic sector, there are close to 100 government CDOs and CAOs throughout the US. Government Technology featured a recent survey that was deployed to 500 state and local government leaders to identify where the “public sector stands on key issues like cybersecurity funding, standardization and training.” When asked “who’s in charge?” the survey reported that 46% of respondents identified the CISO/IT Director as the person who oversees organizational cybersecurity within their agency followed by the CISO (26%), “no one” has an assigned role (6%), CTO or equivalent (6%), a third party company (4%). What is truly shocking is that 6% have not identified an individual to manage their cybersecurity efforts and while this number is on the smaller side, it’s an indication that there is a need to shore up roles and responsibilities to be prepared for potential threats. It’s also an indication that the CDO role may still be too new in some government entities to understand the full scope and purview of a CDO.
On the corporate side, EY published a piece earlier this year entitled: “How chief data officers could remove the tussle at the table.” The authors shared that recent digital transformations have led to three executive roles experiencing not only overlap but “collisions” in data responsibility for the Chief Data Officer (data governance), legal counsel (privacy and ethics), and CISO (cybersecurity). Despite this overlap, the authors asserted that it’s the CDO that should ultimately be responsible for data related issues: “sitting at the center of this convergence is a utopian zone and one simple idea: trust in data. The sweet spot is a place where data is well managed, where the privacy of customers and suppliers is protected, and where cyber threats are minimized. And the person responsible for all three is the CDO.”
Another perspective came from an article authored by James Howard that appeared in Enterprise Security where Howard outlined the role of a CDO before, during, and after a data breach. Howard shared that the CDO should be responsible for the data strategy, conducting an inventory of data assets, and performing regular risk assessments of those assets but in times of crisis, it’s the CIO and CISO that lead the charge with the CDO providing guidance based on their intimate knowledge of the data and the “processes, policies, and controls.” This shift in management would definitely require some advanced scenario planning to perfect the hand off protocol during a crisis.
If your organization is still on the fence about moving forward with a data strategy, the Ryuk ransomware attack should be a warning for data and analytics leaders to evaluate data roles and responsibilities and document disaster preparedness plans to mitigate corporate, financial, and customer risk when a crisis strikes.
Lise Massey is the Program Manager for IIA’s Analytics Leadership Consortium (ALC) and has been with IIA for six years. The ALC is a closed network of senior analytics executives from diverse industries who meet to share and discuss best practices, as well as discover and develop analytics innovation, all for the purpose of improving the business impact of analytics at their firms. Prior to IIA, Lise spent over 10 years designing, managing, and leading media analytics programs for a diverse portfolio of clients and has experience in many aspects of program and project management, account management, strategic and tactical planning, business development, and training. Lise is a graduate from the University of Oregon.
You can view more posts by Lise here.