At the start of the New Year, CIO magazine has data protection and governance at the top of the list for this year. I thought this was supposed to be taken care from day one! In this age when words are being patented, we are still trying to figure out to protect data.
It’s true we have information hidden everywhere consciously or not. It was very late until we realised the value of data that we carried for long. We found there is a lot of value in this dusted data that we had hard time archiving. We developed the concept of data warehouse and business intelligence. Even then, we forgot to protect it. Talk to some of the best data warehousing experts in the industry, you will be surprised when they start arguing your need to protect data! Any data that is archived for future purpose needs to be considered as an intellectual property and there needs to be proper controls in place to protect it. Many a times our analysts and developers have easy access to such type of information. We have flat networks without any segregation of the development and production environment. Sometimes a non-production environment is considered for failover for a production site! You will not be surprised if the custodian of the production data approve it to be used in non-production environment as test data. Every business wants an immediate, easy and quick solution to the market. In order to meet that, we tend to loose our common sense. We give direct access to our data warehouse using a excel program. The residual copy of any data accessed will be hidden somewhere in our desktop until it is fetched by an unknown.
While we are in the race of cutting cost and outsourcing, we do not realise the ramification of it until late. Initially outsourcing started with personnel coming onsite to do the work. However, it’s the opposite now. We tend to ship our data across the borders. We think our network is efficient, the personnel at the offshore site are efficient and skilled, and that they have enough due diligence to protect it. The reality is different. With a high churn over of IT personnel daily at some of the outsourcing vendors where the banners at their campus is “trespassers are recruited”, you cannot find committed, experienced and skilled personnel. Some of these personnel who work on our credit card numbers are ready to give out their personal credit card number, CVV and address. Most of these personnel are recruited directly from college, whose only concern is to get a job and take vacation to enjoy! The laws of the origin of the information are not applicable at the destination and as such some times it takes a while to resolve any data breach issues.
We are still not mature with the way we deal with data. Most organisations are still on their way to build a metadata repository that would contain data classification along with access control as mandated by the business. Some are still sleeping, while others are inventing their own “law of the jungle” instead of following an established set of industry standards.
I agree with your sentiments. When the business is excluded from the dialogue about risks and only included in the financial discussion, guess what….No information life cycle management, and no business ownership of the data and the risks in how the data is being used, stored, shared, and disposed of.
Occasionally the business would choose the “path of least resistance” by merely seeking to fulfill whatever jurisdiction on security compliance, rather than addressing the real issue and providing true protection of data (well, we all know policy exceptions won’t enhance security). This potentially gives us a serious false sense of security, especially when an institution fails to monitor the aggregate risk that the business has accepted across the board, through meaningful measures.
I wrote and published on this about two years ago. The article was again republished in the Taylor and Francis scholarly newsletter EDPACS and can be found at: