Inside the Briefcase

IT Briefcase Exclusive Interview: Getting the Most Out of Open Source While Managing License Compliance, Risk, and Security

IT Briefcase Exclusive Interview: Getting the Most Out of Open Source While Managing License Compliance, Risk, and Security

with Kendra Morton, Flexera
In this interview, Kendra Morton,...

Why DEM Matters More Than Ever in Financial Services

Why DEM Matters More Than Ever in Financial Services

Remember waiting in line at the bank? Banking customers...

How to Transform Your Website into a Lead Generating Machine

How to Transform Your Website into a Lead Generating Machine

Responsive customer service has become of special importance, as...

Ironclad SaaS Security for Cloud-Forward Enterprises

Ironclad SaaS Security for Cloud-Forward Enterprises

The 2015 Anthem data breach was the result of...

The Key Benefits of Using Social Media for Business

The Key Benefits of Using Social Media for Business

Worldwide, there are more than 2.6 billion social media...

Data Governance from the Outside Looking In

December 17, 2019 No Comments

Featured by Desiree Robinson, Governance, Risk and Compliance Manager at SurveyGizmo

Companies are on high alert these days. Most are continually working to avoid being the next headline. While the importance of protecting a customer or other third-party data cannot be understated, it is my experience that many companies are too narrow in their vision of data governance. Internal data, for instance, makes up the majority of overall data held by a company. Not only is internal data the most voluminous, it includes some of the most sensitive information.

When we talk about employee-data security, the risks begin from the outset. Imagine the typical scenario of onboarding an employee. The employee starts by filling out paper forms that are then entered into a web-based HR system, as well as one or more other supporting systems. More than likely, these are also web-based. Not only does this information include the name of the employee and the names of their family members, but also their social security number, address, and other identifying information. And even the financial information that is shared in this process.

Most employees will provide bank account information for their direct deposit and many give a credit card number to sign up and pay for company-sponsored discount programs or services. By the end of the day the employee has put personal identifying information, as well as private financial information, in the hands of their new employer. Immediately, this data is disseminated across several web-based systems with varying levels of IT security, accessible to several departments. More than likely, a hard-copy paper trail has been created, too. To think that this data then receives anything but the company’s best IT security and data governance policies is simply unacceptable.

What’s a company to do? The first step is to take internal data security and governance as seriously as one takes third-party data governance. With that in mind, three key factors are needed for internal data governance: 1) A dedicated data governance, risk and compliance function; 2) Clearly assigned roles and responsibilities for who will manage data governance; and 3) Continuous monitoring of data governance practices.

Governance, Risk and Compliance

While this function will vary greatly depending on the size of an organization, it is essential that the investment is made for a dedicated resource or team of people to manage data governance within the organization. The employee(s) on this team must have the requisite experience and truly understand data governance principles to be able to handle the challenges that might present themselves.

A key responsibility of this group is to work with the executive team to establish a data governance framework, together with a classification model that determines how different types of data are to be handled. Once a classification model is set, it is imperative that it is communicated across the organization. Many poor data security practices are the result of employees simply not knowing what the proper protocol is for handling certain types of data. Education and training across the organization is key.

Roles and Responsibilities

Data security is everyone’s responsibility. However, in practice, most employees don’t see it that way and organizations do little to educate employees and reinforce this important fact. In reality, data governance responsibilities are assigned out and managed on a department-by-department basis. This siloed approach to data governance inevitably leads to an inconsistent and diverging approach to how data is managed and protected. A central governance function is essential to break down the silos to create a central point with visibility across the organization. This allows for better sharing of best practices and the ability to perform the necessary monitoring to ensure adherence to the established framework and compliance with key policies.

Continuous Monitoring

The best data governance frameworks and properly structured organizations can quickly fall apart if there is not an element of continuous monitoring. As it relates to internal data, when employees are hired or terminated or employee data is otherwise updated, it is essential that active monitoring take place to ensure that these changes are handled appropriately. However, with something as important as employee personal information, an additional check should also be incorporated by way of a periodic validation of compliance within the data governance framework. Continuous monitoring coupled with periodic validations or audits is the best way to ensure that the monitoring function is adequate and will protect against the tendency to loosen standards over time.

Motivating Change

Making these types of changes in an organization can be challenging. Changing behavior and processes across several departments in the name of data governance is a difficult proposition. Experience shows that helping employees change their behavior regarding data security typically depends on the organization’s ability to motivate employees to simply care about data security.

While there may be a temptation to use “shaming” or “negative consequences” as a method for promoting correct data governance practices, employees typically respond better when they have incentive or motivation to adapt their behaviors. For example, companies can publicize the list of employees that clicked and fell victim to a phishing campaign test. This public “shaming” or attempt at embarrassing employees into taking IT security seriously is typically less effective than promoting the positive and publicizing those that reported the phishing attempt. Taking that one step further, offering rewards and incentives for those that don’t fall victim to the test and report the suspicious activity is another great tool. Coupling these efforts with training in the moment have proven very effective in phishing campaigns and the same principles apply to the broader data governance efforts of an organization.

Unfortunately, we are living in times where the question is less about if a security breach will occur but rather when it will occur. Given this reality, companies must take a more holistic view of data security and ensure that their efforts are not solely focused on third-party data, but also include internal employee data as well. Employee data is equally important as the external data managed by the organization and should receive the time, attention, and care that it deserves.

Desiree Robinson 150x150 Data Governance from the Outside Looking In

Desiree Robinson, Governance, Risk and Compliance Manager at SurveyGizmo







Sorry, the comment form is closed at this time.