Data Governance from the Outside Looking InDecember 17, 2019 No Comments
Featured by Desiree Robinson, Governance, Risk and Compliance Manager at SurveyGizmo
Companies are on high alert these days. Most are continually working to avoid being the next headline. While the importance of protecting a customer or other third-party data cannot be understated, it is my experience that many companies are too narrow in their vision of data governance. Internal data, for instance, makes up the majority of overall data held by a company. Not only is internal data the most voluminous, it includes some of the most sensitive information.
When we talk about employee-data security, the risks begin from the outset. Imagine the typical scenario of onboarding an employee. The employee starts by filling out paper forms that are then entered into a web-based HR system, as well as one or more other supporting systems. More than likely, these are also web-based. Not only does this information include the name of the employee and the names of their family members, but also their social security number, address, and other identifying information. And even the financial information that is shared in this process.
Most employees will provide bank account information for their direct deposit and many give a credit card number to sign up and pay for company-sponsored discount programs or services. By the end of the day the employee has put personal identifying information, as well as private financial information, in the hands of their new employer. Immediately, this data is disseminated across several web-based systems with varying levels of IT security, accessible to several departments. More than likely, a hard-copy paper trail has been created, too. To think that this data then receives anything but the company’s best IT security and data governance policies is simply unacceptable.
What’s a company to do? The first step is to take internal data security and governance as seriously as one takes third-party data governance. With that in mind, three key factors are needed for internal data governance: 1) A dedicated data governance, risk and compliance function; 2) Clearly assigned roles and responsibilities for who will manage data governance; and 3) Continuous monitoring of data governance practices.
Governance, Risk and Compliance
While this function will vary greatly depending on the size of an organization, it is essential that the investment is made for a dedicated resource or team of people to manage data governance within the organization. The employee(s) on this team must have the requisite experience and truly understand data governance principles to be able to handle the challenges that might present themselves.
A key responsibility of this group is to work with the executive team to establish a data governance framework, together with a classification model that determines how different types of data are to be handled. Once a classification model is set, it is imperative that it is communicated across the organization. Many poor data security practices are the result of employees simply not knowing what the proper protocol is for handling certain types of data. Education and training across the organization is key.
Roles and Responsibilities
Data security is everyone’s responsibility. However, in practice, most employees don’t see it that way and organizations do little to educate employees and reinforce this important fact. In reality, data governance responsibilities are assigned out and managed on a department-by-department basis. This siloed approach to data governance inevitably leads to an inconsistent and diverging approach to how data is managed and protected. A central governance function is essential to break down the silos to create a central point with visibility across the organization. This allows for better sharing of best practices and the ability to perform the necessary monitoring to ensure adherence to the established framework and compliance with key policies.
The best data governance frameworks and properly structured organizations can quickly fall apart if there is not an element of continuous monitoring. As it relates to internal data, when employees are hired or terminated or employee data is otherwise updated, it is essential that active monitoring take place to ensure that these changes are handled appropriately. However, with something as important as employee personal information, an additional check should also be incorporated by way of a periodic validation of compliance within the data governance framework. Continuous monitoring coupled with periodic validations or audits is the best way to ensure that the monitoring function is adequate and will protect against the tendency to loosen standards over time.
Making these types of changes in an organization can be challenging. Changing behavior and processes across several departments in the name of data governance is a difficult proposition. Experience shows that helping employees change their behavior regarding data security typically depends on the organization’s ability to motivate employees to simply care about data security.
While there may be a temptation to use “shaming” or “negative consequences” as a method for promoting correct data governance practices, employees typically respond better when they have incentive or motivation to adapt their behaviors. For example, companies can publicize the list of employees that clicked and fell victim to a phishing campaign test. This public “shaming” or attempt at embarrassing employees into taking IT security seriously is typically less effective than promoting the positive and publicizing those that reported the phishing attempt. Taking that one step further, offering rewards and incentives for those that don’t fall victim to the test and report the suspicious activity is another great tool. Coupling these efforts with training in the moment have proven very effective in phishing campaigns and the same principles apply to the broader data governance efforts of an organization.
Unfortunately, we are living in times where the question is less about if a security breach will occur but rather when it will occur. Given this reality, companies must take a more holistic view of data security and ensure that their efforts are not solely focused on third-party data, but also include internal employee data as well. Employee data is equally important as the external data managed by the organization and should receive the time, attention, and care that it deserves.
Desiree Robinson, Governance, Risk and Compliance Manager at SurveyGizmo
DATA and ANALYTICS