“I am very much a cup half full person. The current pandemic has demonstrated that it is an important time for the cyber industry and we deserve our rightful place on the top table. Can you imagine organisations trying to manage during the pandemic without cyberspace? Society would have crumbled.
On one hand those poll results are good news, but that is because it shows that these are professionals that care about data risk. I believe a huge number of organisations in UK PLC do not even have data governance on their radar. We are facing a monumental opportunity as Conor says, but a monumental challenge. If we think about the National Cyber Security Centre (NCSC) we can see the UK strategy is genuinely world leading. What NCSC is, and what it underpins is the best there is. And yet, its profile amongst the corporate community is surprisingly low.
So, I would personally answer your question with a no. Data Risk is not slowing down progress because so few organisations are even really acknowledging it.”
Jim, British Sugar
“I’m glad we finished on a ‘NO’. In the last 10 years I’ve been heavily involved in the digital transformation of companies. Data Risk has not been the problem they’ve been facing, but data management has been. Lots of structured and unstructured data to deal with. But ultimately, the organisations have wanted to understand and manage the data to make better business decisions. Maybe I’m fortunate that I’ve been at a senior enough level that I can create secure by design businesses while we transform, as Conor talks about, as this has definitely been essential. So my answer very firmly from my experience is that Data Risk isn’t slowing down progress, but the challenge of data management definitely has.”
“The fundamental problem with data in its use and protection is that most organisations don’t know what they’ve got or where it is. It is an issue of classification. It’s in my professional blood to think that organisations should look after their most valuable data and do what they can with the rest. But if organisations don’t know what data they have in the first place then I don’t know how any CISO can sleep at night.
It is unforgivable. Not that there are any organisations that are immune from this, unless an organisation has no data at all, but that’s not possible. Maybe we should be going to the boards within organisations and asking them who will get fired if there is a security breach? A potential key to raising the profile of risk at board level is to get the board members and investors to understand that if a breach is suffered due to lack of action then it is them that are held responsible.”
Jim, British Sugar
“How easy have you all found it to act on risk across multiple departments? I struggle. Martin is quite right, most organisations don’t know what data they’ve got in the first place. Businesses need to be educated further. Data itself is a nebulous term and stewardship is a big old task to tackle. Tooling comes into it as well but first a business must understand what data is important to it and they must understand what the board’s view on data is.
It’s best to start with information at the top of the classification list – financial data, personal data, and so forth. At British Sugar I started doing this in 2020 and have only just finished the discovery piece, let alone actually doing something about it.”
Dave Parker, Groud Head of Data Governance at Arrow Global, and one of our customers present at the forum asked
Do you think that GDPR gave a false sense of security to board members? You can spend forever rationalising with the board and yet still only build a paper-based shield around your data. But really, organisations need to understand the data they’ve got and conceptualise data properly. GDPR puts a smoke screen over everything.”
Conor, BSI Group
“That’s a really good point. GDPR is definitely seen as a line in the sand by many. In my experience most organisations tend to have a bias towards action and they would rather get something done and then move on. GDPR set a date that organisations had to work towards and once that was achieved everyone said ‘thank god for that. What’s next?’ and then organisations looked to the next challenge.
Personally, I don’t think GDPR changed a thing in itself. It just re-stated what was already there. The only difference made was that it gave the regulators a little bit more armoury. But essentially it was a smoke screen because the fundamental requirements and compliance obligations already existed.
So if companies weren’t already meeting these obligations, then they were carrying a massive compliance risk. And if organisations did just view it as something which had an ‘end date’ then that goes back to the organisation having a wider cultural problem. The mindset needs to be changed from ‘do we need to do this?’ to ‘we absolutely must do this because we have to’.”
“Conor, you are a man after my own heart. The thing that I am seeing shift is that organisations are starting to appreciate their responsibility to data. I’m hearing people say ‘I have a responsibility now to understand this data so I can better protect and serve people’, so I hope the culture is changing, and I think it is.”
Conclusion & key takeaway points...
“I’m going to turn this whole topic back on ourselves quickly. Something pointed out to me recently in our SASIG community is that sometimes boards within organisations don’t understand Data Risk. Now it’s not because they’re not able to comprehend it, if they’re on the board then that means they must be really bright. It’s because we haven’t explained it properly to them. So we are responsible for lack of understanding and lack of commitment to Data Risk at board level. We therefore need to find the tools and the words that will help us to communicate this better.”
"Martin, I think this is a really important point. I like to think of it as quantitative risk modelling at board level to try and change the argument from “we might have a load of data that’s risky, to, we have a big black hole in our risk register within our data estate and that equates to something we can put pound signs on and has money attached to it”. And this is what captures people’s attention. The board isn’t thick you are right, we need to take better ownership of it.”
Jim, British Sugar
“We talk a lot about both risks and uncertainties in my business. Risk is quantifiable and uncertainty, well we try and put some kind of measure against it. We are in a period of uncertainty. I personally feel we are in a period of evolution now. Future generations won’t have to deal with this problem in the same way as we are dealing with it now. The attack surface just gets wider, the attacks get more complex, and the penalties for failure are increasing. Businesses cannot survive without their data. It is that important.”
Conor, BSI Group
“There is a common cliché statement used in organisations “run the business, change the business, scale the business”. I think that regardless of what the risk conversation is, once the board is talking about risk and we the right people providing the right information to educate the business on risk properly then running the business becomes dependent on what data you have, where it is, why you have it and what you can leverage it to do. Changing the business then becomes a risk-based decision. Scaling the business then becomes informed by risk and you can naturally put the right resources in the right place. Informed intelligent analysis of what is happening on the ground is needed.”
Takeaway tip for organisations reading this:
Jim: “A lot of ransomware attacks won’t work if you don’t have a Cyrillic keyboard.”