Panel Discussion: Is Data Risk slowing down progress in organisations?


Is Data Risk slowing down progress in organisations?

Background & customer research

As a Data Discovery software company, Data Risk is understandably a hot topic at Exonar, and one which is frequently on the lips of our customers.

This is not surprising, with the average cost of a UK data breach now thought to cost organisations an average of $3.9M and take as much as 256 days to identify and contain
[1], organisations must act now more than ever to proactively reduce the likelihood of attack. Moreover, it is no longer enough to build a minefield of defence around your data from the outside, as the frequency of an insider breach (this could be due to negligence or malicious employees, contractors or criminals operating within the company) has tripled in recent years [2].

To delve deeper into how Data Risk is actually impacting organisations day-to-day, quarter-to-quarter, and project-to-project, we started by asking our customers what their experience was.

In an anonymous poll, we asked our customers “Is Data Risk slowing down progress in organisations?”:

  • 83% of our customer respondents said ‘Yes’ 
  • 17% said ‘Somewhat’,
  • and no one said ‘No’.

When probed further our customers felt that Data Risk was often a low priority within organisations or sometimes not recognised in some departments at all. They felt that while not being high on the board agenda, risky data was quietly accounting for large volumes of un-used and un-accessed data in the organisation, contributing to high storage costs and compromising clarity of information. To identify, measure and rectify risk in data requires a huge investment of resource that our customers felt could otherwise be “better spent” contributing to data transformation initiatives.

We decided to take this topic into a wider panel discussion at our virtual Customer Forum we hosted recently in May 2021.

Meet our expert data panel

We invited 3 guest panellists to join us:

Conor Hogan – Global Privacy Lead, Cybersecurity and Information Resilience, BSI Group

Conor has more than a decade’s experience in data consultancy and auditing, with extensive knowledge of designing, implementing and operating enterprise-wide privacy programs and providing outsourced DPO services to clients all over the world.  Website | LinkedIn


Martin Smith - MBE, Chairman and Founder, Security Awareness Special Interest Group (SASIG)

Martin received the 2017 Lifetime Achievement Award for his services to the security industry with a background in both the military and banking. SASIG is a membership organization now into its 17th year of events. Website | LinkedIn


Jim Griffiths – CISO, British Sugar

Jim has held regulatory, compliance and security roles across a number of high profile organisations over the years, with a military background in counterintelligence.


Gareth Tranter – Chair of panel and Head of Customer Success, Exonar

Danny Reeves – CEO, Exonar

Panel discussion

We opened by posing the same question to our panel “Is Data Risk slowing down progress in organisations? And what do you think of our poll results?”

Conor, BSI Group

“I think inherently that poll is right, based on the work I do with my customers I would say Data Risk is currently slowing down progress in organisations.

However, I think the solution is to flip how we consider data on its head. We need to stop thinking of data as a problem and instead look at it as an opportunity. If we embed privacy and security by design into the core of a business then we can fundamentally shift the culture and conversation towards leveraging it for competitive advantage instead. Essential time and resource can then be freed up and ‘managing data’ can take on an entirely new meaning.”

Martin, SASIG

“I am very much a cup half full person. The current pandemic has demonstrated that it is an important time for the cyber industry and we deserve our rightful place on the top table. Can you imagine organisations trying to manage during the pandemic without cyberspace? Society would have crumbled.

On one hand those poll results are good news, but that is because it shows that these are professionals that care about data risk. I believe a huge number of organisations in UK PLC do not even have data governance on their radar. We are facing a monumental opportunity as Conor says, but a monumental challenge. If we think about the National Cyber Security Centre (NCSC) we can see the UK strategy is genuinely world leading. What NCSC is, and what it underpins is the best there is. And yet, its profile amongst the corporate community is surprisingly low.

So, I would personally answer your question with a no. Data Risk is not slowing down progress because so few organisations are even really acknowledging it.”

Jim, British Sugar

“I’m glad we finished on a ‘NO’. In the last 10 years I’ve been heavily involved in the digital transformation of companies. Data Risk has not been the problem they’ve been facing, but data management has been. Lots of structured and unstructured data to deal with. But ultimately, the organisations have wanted to understand and manage the data to make better business decisions. Maybe I’m fortunate that I’ve been at a senior enough level that I can create secure by design businesses while we transform, as Conor talks about, as this has definitely been essential. So my answer very firmly from my experience is that Data Risk isn’t slowing down progress, but the challenge of data management definitely has.”

Martin, SASIG 

“The fundamental problem with data in its use and protection is that most organisations don’t know what they’ve got or where it is. It is an issue of classification. It’s in my professional blood to think that organisations should look after their most valuable data and do what they can with the rest. But if organisations don’t know what data they have in the first place then I don’t know how any CISO can sleep at night.

It is unforgivable. Not that there are any organisations that are immune from this, unless an organisation has no data at all, but that’s not possible. Maybe we should be going to the boards within organisations and asking them who will get fired if there is a security breach? A potential key to raising the profile of risk at board level is to get the board members and investors to understand that if a breach is suffered due to lack of action then it is them that are held responsible.”

Jim, British Sugar

“How easy have you all found it to act on risk across multiple departments? I struggle. Martin is quite right, most organisations don’t know what data they’ve got in the first place. Businesses need to be educated further. Data itself is a nebulous term and stewardship is a big old task to tackle. Tooling comes into it as well but first a business must understand what data is important to it and they must understand what the board’s view on data is.

It’s best to start with information at the top of the classification list – financial data, personal data, and so forth. At British Sugar I started doing this in 2020 and have only just finished the discovery piece, let alone actually doing something about it.”

Dave Parker, Groud Head of Data Governance at Arrow Global, and one of our customers present at the forum asked

Do you think that GDPR gave a false sense of security to board members? You can spend forever rationalising with the board and yet still only build a paper-based shield around your data. But really, organisations need to understand the data they’ve got and conceptualise data properly. GDPR puts a smoke screen over everything.”

Conor, BSI Group

“That’s a really good point. GDPR is definitely seen as a line in the sand by many. In my experience most organisations tend to have a bias towards action and they would rather get something done and then move on. GDPR set a date that organisations had to work towards and once that was achieved everyone said ‘thank god for that. What’s next?’ and then organisations looked to the next challenge.

Personally, I don’t think GDPR changed a thing in itself. It just re-stated what was already there. The only difference made was that it gave the regulators a little bit more armoury. But essentially it was a smoke screen because the fundamental requirements and compliance obligations already existed.

So if companies weren’t already meeting these obligations, then they were carrying a massive compliance risk. And if organisations did just view it as something which had an ‘end date’ then that goes back to the organisation having a wider cultural problem. The mindset needs to be changed from ‘do we need to do this?’ to ‘we absolutely must do this because we have to’.”

Danny, Exonar

“Conor, you are a man after my own heart. The thing that I am seeing shift is that organisations are starting to appreciate their responsibility to data. I’m hearing people say ‘I have a responsibility now to understand this data so I can better protect and serve people’, so I hope the culture is changing, and I think it is.”


Conclusion & key takeaway points...

Martin, SASIG

“I’m going to turn this whole topic back on ourselves quickly. Something pointed out to me recently in our SASIG community is that sometimes boards within organisations don’t understand Data Risk. Now it’s not because they’re not able to comprehend it, if they’re on the board then that means they must be really bright. It’s because we haven’t explained it properly to them. So we are responsible for lack of understanding and lack of commitment to Data Risk at board level. We therefore need to find the tools and the words that will help us to communicate this better.”

Gareth, Exonar

"Martin, I think this is a really important point. I like to think of it as quantitative risk modelling at board level to try and change the argument from “we might have a load of data that’s risky, to, we have a big black hole in our risk register within our data estate and that equates to something we can put pound signs on and has money attached to it”. And this is what captures people’s attention. The board isn’t thick you are right, we need to take better ownership of it.”

Jim, British Sugar

“We talk a lot about both risks and uncertainties in my business. Risk is quantifiable and uncertainty, well we try and put some kind of measure against it. We are in a period of uncertainty. I personally feel we are in a period of evolution now. Future generations won’t have to deal with this problem in the same way as we are dealing with it now. The attack surface just gets wider, the attacks get more complex, and the penalties for failure are increasing. Businesses cannot survive without their data. It is that important.”

Conor, BSI Group

“There is a common cliché statement used in organisations “run the business, change the business, scale the business”. I think that regardless of what the risk conversation is, once the board is talking about risk and we the right people providing the right information to educate the business on risk properly then running the business becomes dependent on what data you have, where it is, why you have it and what you can leverage it to do. Changing the business then becomes a risk-based decision. Scaling the business then becomes informed by risk and you can naturally put the right resources in the right place. Informed intelligent analysis of what is happening on the ground is needed.”

Takeaway tip for organisations reading this:

Jim: “A lot of ransomware attacks won’t work if you don’t have a Cyrillic keyboard.”