February 18 2020 – By Dan Welberry

Managing data as an asset and a risk:

How to extract value, deliver on privacy and manage the complexity of data

Managing data as an asset and a risk: How to extract value, deliver on privacy and manage the complexity of data

Anyone working in the world of information is tasked with managing data in highly complex programmes. The big issue that data professionals face is how to raise the profile of data in order to get people to understand its value – both as a risk and an asset – to push forward the right data programmes.

All companies grapple with the privacy aspect of data, as well as how to use it as a differentiator. And everyone shares the same problem because the sheer volume and complexity of data is a huge challenge.

We often hear our customers talk about the issue of managing data: not knowing what data they have, where it is and who has access to it. And of course, if you get it wrong that data becomes a liability, rather than the business asset it should be.

In an ideal world, every organisation would be able to extract value, deliver on privacy and manage the complexity of data.

In this report we want to explore how businesses can become ‘information intelligent’ by raising the profile of data. We want to tell a bigger story to engage a wider set of stakeholders and educate them on the true value locked in that data.

We’ve distilled the recommendations in this report into four key steps:

Step 1: Deliver on privacy, security and risk

Put the customer first and build on what you’ve already done for GDPR to transition it to business-as-usual. It all has to start with identifying unstructured data.

Step 2: Managing data complexity

Think about how to create tiered ownership of data, then appoint data champions before leveraging technology to help simplify the process.

Step 3: Position data as an asset

Think about how to pitch your data programme in terms of tangible impact, while aligning it to your organisational goals and framing the business case in the right way.

Step 4: Encourage internal collaboration

Lead by example and make opportunities to work together. Of course, this is all dependent on acquiring the soft skills to create and nurture strategic relationships.

Report Methodology

The insights shared within this report were acquired during a roundtable discussion with a select group of data governance specialists, from leading UK companies. The event was hosted by Exonar and chaired by its CEO and Founder, Adrian Barrett.

Present at the event were:

  • A data quality and analytics expert from a relationship bank.
  • A leader in cyber security from a large insurance company.
  • A director of data privacy at a global insurance broker.
  • A data management leader from a high street bank.
  • IT security expert from a global pharmaceutical firm
  • Fraud, risk, and security expert, multinational telecommunications conglomerate.

As a by-product of the technology revolution and the information age, data is considered the world’s most valuable resource. Every company is a data company whether it’s a traditional non-tech business or is born out the information age. Today, the biggest challenge is managing data to understand its value as both an asset and a risk in order to push forward the right programmes.”
Adrian Barrett
Founder and CEO, Exonar

Step 1: Deliver on privacy, security and risk

Poor data governance is like a ticking time bomb. Disarming the threat is reliant on knowing what data you’ve got so you can manage it and protect your organisation.

But where to begin?

Our panel identified 3 crucial elements:

1. Compliance: at the heart of compliance lies consistency, because when you know your people, systems and processes are all operating in the same way, you retain greater control over your estate.

2. Efficiency: having the ability to locate the right data in a timely manner is essential, particularly for responding to data subject access requests (DSARs).

3. Insight: with insight, data transitions from being a potential threat to a business asset, ensuring the best decisions are made with the right data at the right time.

But as with most things in life, it’s rarely that simple.

As one panel member, UK cyber operations lead at a large insurance company, said, “How can we talk about anything when you don’t know where your data is or what data you have? The first thing you need to do is identify your data, it’s still the biggest challenge I’m seeing after 8 years”.

Action 1: identify your unstructured data

Having the ability to access the data you need to perform your job is essential for any business to operate efficiently and effectively. In the digital era, where there’s an enormous volume of it, the way you approach data is key.

But…

This assumes that you have visibility of everything in your data estate, across both structured and unstructured databases.

Most organisations take it for granted that they are managing data consistently and their documents are neatly filed in secure data repositories. But the things that get stored as unstructured data are extraordinary – things like passwords that are written down in spreadsheets, snippets of emails, credit card numbers…

Cleaning up your data so you’re able to take remediation actions to mitigate risk, as well as distil the value locked within it, is one of the first steps to getting properly GDPR compliant.

However…

Uncovering all your data is a huge undertaking and therefore is best broken down into smaller, more manageable projects. One panellist, the data privacy director at the insurance brokerage, spoke of her plans for this year:

“To build on what’s been done so far I need to deliver a successful pilot programme by the end of the year, which allows me to demonstrate and quantify the progress that has been made, as well as create a new structure with access control and governance around this.”

Things to think about…

Break your project down into more manageable chunks. Resolve any problem areas by moving and/or deleting data at scale, and then implementing a mechanism for managing data ongoing.

Use technology to automate these processes. Not only can technology tools help to flag up areas of concern that need to be addressed, they can pinpoint specific individuals that aren’t adhering to your privacy policy so you can give them a gentle nudge.

“If a data breach occurs, the clock starts ticking the moment you put it in an email or say it verbally and the regulators come round. It can be very bad, so it’s good to be proactive.”
Cyber operations lead Major insurer

Technology approaches to data discovery

The first step to data discovery at scale is the right tools that enable you to interrogate your data estate in real time and with near-instant results.

Exonar does this by indexing data at scale and maintaining that index (rather than scanning), and is the way that Exonar’s products differentiate from other forms of ‘data discovery’. Think of it like Google within your company, with instant results to find data of any kind, always up to date and ready to spot changes or non-compliance.

By indexing data across all of your organisation’s estate, not only can sensitive information be immediately found, but the same searches against specific data governance policies can be repeated on an automated basis.

We believe that this is what the first step in managing data should look like from a technology perspective, but of course we would say that having developed it!

Alternative approaches might use in-built search tools in specific systems, such as Microsoft Exchange for email, to find examples of non-compliance to policy. However, drawbacks of this are numerous, in terms of the narrow scope of search, the ability of those tools to properly read the content in the system, and limitations on accurate classification of content found.

Action 2: put the customer first

Everyone on our panel agreed that the customer was the most important aspect of data, and yet often gets forgotten when organisations get buried in the detail.

The data quality and analytics expert from a relationship bank, said, “The regulator wants to become more data-driven, but what does it mean? We need to be asking what is right for the customer?”

Data and customers go hand-in-hand, since they both touch every function within your business. Therefore, to get the data part right, you need to educate your business so the customer takes centre stage.

Making decisions around data storage, privacy and security with the customer in mind, makes it easier to set policies for managing data internally and enforce them across the business.

As a leader in cyber security from a large insurance company summed up, “At the end of the day, we are all trying to minimise risk. Using consistent language means our people and suppliers treat data the same way from a risk perspective – we need to protect the data.”

Things to think about

  • Establish a working group with representatives from across your business. Identify everything that matters to them, and the data involved in satisfying those demands. Then rank them according to urgency and importance to set your priorities.
  • Perform a third-party risk assessment. It’s as important to manage your suppliers and how they handle data as it is your own.

“Everything we do should focus on how the customer interacts with us, which should make it clearer how we are managing data.”

Data quality and analytics expert Relationship bank

Action 3: improve your GDPR

Our panel agreed that GDPR is back on the boardroom agenda following the high-profile fines for Marriott and BA.

But whereas last time the focus was simply on demonstrating compliance to the regulator, this time it’s back to the drawing board to build on what’s been done so far, to really get the privacy programmes off the ground in an automated way.

The IT security expert at a leading pharmaceutical company, claimed that what’s being discussed now shouldn’t involve anything new. With everyone responsible for the data’s ownership, the priority should be, “Getting [new coverage] embedded so we can better manage risk, understand value, and get our governance processes up and running so people understand their roles of accountability and responsibility.”

Everyone agreed that businesses need to be doing as much as they can around managing data and to strengthen data protection. There was a sense that re-education is needed internally to get teams back on track with thinking about privacy.

But embarking on these new programmes requires more investment. The data privacy director at an insurance brokerage said, “Everyone agrees what we need to do but it’s so difficult to get the funding. What arguments do you use? And how do you present them to get the money out?”

Things to think about

  • Re-educate your teams on what your data protection protocols are – and why. Help them to understand their importance, the consequence(s) to your customers of non-compliance and their individual role in keeping data safe.
  • Run specialised training programmes that consider common threats, like phishing, which your people will encounter as part of business-as-usual, so they can identify them more easily.

“Look at the organisations’ goals and your CEO’s objectives and how they cascade down to what you do, so that you can align with those goals. Think – how does your function support the CEO’s objectives? What’s the THIS you have to do so that CEO doesn’t fail? And how do you package it to show him that?”
Former security lead, Large international organisation

Step 2: Managing Data Complexity

The panel considered the growing challenge over how to tackle the volume and complexity of data at scale, and how to mitigate the risks associated with that data.

The data management leader from a relationship bank summed it up when he said, “We have thousands of systems and the challenge we face is what is the value to us as a bank? What’s the consumable value and the storage efficiency? Can we archive the data that’s redundant and access that information in the future if we need it? This is the essential, unsexy side of using the data.”

And for some there was the added complication of how their business grows. The data privacy director at the insurance brokerage said, “Lots of mergers and acquisitions create a situation where people don’t know where data is”.

Overall, the biggest challenge that this growing data complexity creates is ownership. As one panellist, the product owner in the digital discovery space at a major high street bank, said bluntly, “Ownership full stop is a nightmare.”

The panel agreed that responsibility for managing data is a company-wide issue – the data quality and analytics expert from a relationship bank said “[Data] is the whole institution’s problem not just one department.” While the IT security manager at a major pharmaceutical company agreed, “Everyone has a responsibility for the data they create and manage.”

So where do you start?

Action 1: create tiered ownership of data

One of our panellists shared an interesting suggestion to create different responsibility levels of data ownership and management: 

  • The data owner: who understands the value of the data they’re holding. 
  • The data guardian: who understands the context of the data. 
  • The data steward: who understands the specific data in their system, for example, a marketer with their CRM system.

Creating the idea of shared ownership avoids potential conflict where changes are dictated without the instigator understanding why things need to be done a certain way. As one panellist, cyber operations lead at a major insurer, explained:

“How can you change something without talking to us? The CISO group needs to understand the business and its verticals. Each business unit has different maturity levels, which is a challenge in itself. And then understanding the vertical in itself is another challenge. We need alignment and a common goal.”

Achieving that alignment and common goal is then dependent on embedding this way of working into your culture. By getting data management and governance processes up and running people understand their roles of accountability and responsibility.

“It’s a lot of informal work,” said the data privacy director at the insurance brokerage. “A lot of my work for the past year was building ground, speaking to people, finding out how they think of privacy, and their view on how the programme was going…Trying to create a relationship within the business, creating goodwill.”

This idea of ‘ownership’ should never be presented as something extra for people to do – simply that everyone has a responsibility for the data they create and manage. To achieve this, you need to communicate the importance of data stewardship – from the senior leadership team right through to the frontline staff – and again, talk about the data in terms of the people it represents.

Things to think about…

  • Identify who should be the key data stakeholders within each functional area – the owner, guardian and steward – and create a mechanism to ensure they’re regularly talking about the data they hold and why, how it’s being processed, and whether any changes need to be made to the privacy policy as a result.
  • Make sure everyone understands the importance of managing data by talking about it from the customer’s perspective. When your people see data as a person, they can’t help but care and take ownership in order to protect it.

“When you engage with people, it’s a different conversation.”

Data quality and analytics expert Relationship bank

Action 2: appoint data champions

Another of our panel talked about getting away from ‘ownership’ and towards data management – even starting to create his own data champions:

“We replaced the divisional data office. Every division has its team and are able to understand the problems in their area to engage and demonstrate capability to help with problems in their area. We are placing people throughout the organisation to manage data moving forward.”

Another panellist, head of data and analytics at a relationship bank, agreed saying, “Get away from data ownership because people don’t want to accept risk. Create data champions – the ones who understand what’s going on.”

While a third member, product owner in the digital discovery space at a major high street bank, said, “In our programme there were different streams. We placed data officers to be the eyes and ears for data. Through our CDO we understood the problems in those areas. That was one of the big things – people and the placement of people in the bank to manage data.”

Things to think about… 

Nominate data champions who are the people actually handling and processing your data dayto-day. They’re the ones who really understand how that data needs to flow, where potential problem areas are and understand its inherent value. 

Empower those individuals to get on in the best way they know how. If you handcuff them in rules and regulations, you’ll impede their ability to act. Give them the freedom to innovate within the guidelines of your company values, and you’ll find a new/different/better outcome.

“I organise cyber exercises…I brought 18 people together and held a mock interview of a CISO, who froze. Transparency and collaboration is so important, and it was a good exercise because a reporter might ask the same questions. It brought together our people to collaborate and improve processes.” 

Cyber operations lead Major insurer

Action 3: leverage technology to help manage the complexity

Before the GDPR deadline hit, organisations were working against the clock to demonstrate their compliance to the Information Commissioner’s Office.

But as our data privacy director at the insurance brokerage explains, “Lots of money was spent and lots was wasted because of the fear factor…How could it be that millions were spent and the knowledge walked out of the business?…You need a business-as-usual process that you feel confident in.”

One of the drivers behind this problem was that in their panic, organisations turned to so-called GDPR ‘experts’. Not feeling comfortable talking about technology, some boards of directors shunned proven ways of working that would protect their business, ensure their compliance and distil the value locked in their data.

One panel member, the IT security expert at a major pharmaceutical company, who has leveraged the power of technology to embed data privacy as part of business-as-usual explained the benefit:

“Understanding what is valuable in your data – the crown jewels – is vital, but the context changes over time. Our business found itself, 10 years later, in a dispute about IP ownership. Through using data discovery technology we successfully went back into our email archive to trace the conversation to something that, at the time, was uninteresting…It saved us months of litigation being able to unpick the story and prove our side.”

While the cyber operations lead at a major insurer, concluded, “You might suffer a breach but if you demonstrate you did everything you could do protect the data, you aren’t going to be fined.”

Things to think about… 

  • Establish a cross-functional working group that comprises the CISO, IT and CDO. By bringing the right stakeholders together, you can start to solve the problem of how to turn data governance policy into practice.
  • Use that group to help you understand the combinations of technology available that could help you achieve your objective, and give you confidence about how to roll out your new business-as-usual process for managing data across the organisation.

“From ticking the box of being compliant to actually proving you’re compliant, this will have to change.”
Former security lead Large international organisations

Step 3: Position data as an asset

We’ve touched upon this a few times already during this report – the idea that there are valuable insights locked within your data. As one panellist stated, “Data is the new cash.”

With data insight, businesses can make better decisions, mitigate risks and deepen the bonds of trust with customers. But getting to this data is tough. Our panellists talked about how to mine intellectual property, and then use that insight to drive competitive advantage.

A director of data privacy at a global insurance broker said she was looking at how to position data as an asset in order to elevate its profile in the organisation:

“I don’t preach risk, I want to be able to show value. Compliance has to be about the business benefits for it to be impactful. Once you get this, you have the balance between risk and asset. Data governance became a privacy problem because it was surfaced by GDPR. But data in terms of regulatory reporting and business insight should be the same narrative.”

But what if data as an asset isn’t on the CEO’s radar – where do you start?

One of our panellists, product owner in the digital discovery space at a major high street bank, shared his current predicament:

“It’s what we are trying to unravel now…The risk value question is interesting. If you can see all the data, you can see its full value because you’ve got all the data. But if you reduce your risk [by deleting the data], you reduce some of the value.”

Action 1: pitch your data management programme in terms of tangible impact

In order to run a new programme for managing data you’ll need funding. And in order to secure that funding, you’ll need to create a business case.

As one of our panel members, an IT security expert from a global pharmaceutical firm, explained, it’s all about changing the conversation to emphasise what really matters to the Board:

“Treating data as an asset is key to unlocking those conversations…If you can pitch your programme as if you didn’t have access to this data, what’s the tangible impact? Put a cost to the campaign you’d need to do to recover the organisation’s perception in the press and the cost of a set of lawyers for a month to go to court to argue a case.”

Things to think about…

  • Pitch a pilot programme initially so you can test and demonstrate the value of your data management project, without sinking too much investment. Once you’ve proved its worth to the Board, it becomes a lot easier to secure the funding you really need.
  • Calculate the cost of a breach. If you can demonstrate the monetary impact of failing to secure your data and transition privacy to business-as-usual, investing in your programme becomes a ‘no-brainer’.

“Speak their language – money!”
Cyber operations lead Major insurer

Action 2: align your data management programme to organisational goals

To create an environment in which your people are set up to succeed, you need to give your data champions the guidelines to help them perform their role. As the former security lead for major international enterprises, explained, it’s about aligning their decision-making process to the values that are already ingrained within the business:

“You have to have a really clear set of values for the organisation that you can align what it is you’re going to do against.”

And then the former security lead for major international enterprises, posed an interesting question to her peers:

“How do you create more billions coming in the top end with the data you’ve got?”

As our IT security expert at a major pharmaceutical company, perfectly summed up, “Are the CDO, CISO and CSO aligned? That’s more important. That’s the difference between protection and getting value from the data.”

Things to think about…

  • Before embarking on any programme for managing data, re-state the company values so your data champions keep them front of mind in all their decision-making.
  • Think about how your programme aligns to the overall goals of the company. If adopting a new way of working helps to meet an objective, as well as protect data in the process, it’s far more likely to be accepted.

“Without shared vision, nothing will happen.”
Data privacy director Insurance brokerage

Action 3: frame the business case right

As one panellist explained, “Companies think they’re in a better place than they actually are.” And the reason is that they don’t actually understand the information they possess.

“Organisations don’t understand the context of data,” said the IT security expert at a major pharmaceutical company. “Without the context of data, like the importance of HR records, you can’t tangibly measure the cost of data. There’s the cost of access request, and the cost of litigation. Most companies don’t measure the value of data in context, but leaders need to understand the context in order to invest in the data.”

For those present at our roundtable who had secured the funding to embark on these new programmes for managing data, they agreed that it’s about how you frame the business case.

For instance, compliance isn’t about a tick-box exercise to check that you’re compliant this week/ month/quarter. No. Compliance is about adopting new initiatives to operationalise processes that facilitate better data management. As the data quality and analytics expert from a relationship bank said, “If the project doesn’t deliver to business-as-usual, then it drops off.”

One of our panellists, data privacy director at the insurance brokerage, explained her situation:

“In a complex organisation like ours, it’s not always easy. Even though I understand privacy, it’s a bit boring. I want to be able to talk finance… How can we position data as an asset? I strike the balance between risk and asset when I speak to the board…showing the impact to the business of what we are trying to do.”

Things to think about…

  • There are 3 key things that appeal to a CEO: time, team and money. Frame your data management programme so that it taps into one of these, and you’ll have the attention you need.
  • Think about how to communicate. Your CEO is time poor and therefore doesn’t want to read a 100-page technical report. If you can show something visually, do it, it’s a far more effective channel for communication.

“Compliance has to be about the business benefits.”
Data privacy director Insurance brokerage

Step 4: Encourage internal collaboration

Previously within this report, we’ve considered the need for shared ownership of data, appointing data champions and empowering them within the parameters of the company values. We’ve also considered the idea of creating cross-functional working groups to solve the problem of how to turn data governance policy into practice.

Here, we look at how our panels are bringing people together effectively to collaborate.

Elevating the position of data within an organisation requires being able to influence discussions at the Board level, and potentially at a global scale. As such, one voice isn’t enough – to secure share of mind, you need the backing of a strong team.

Our cyber operations lead at a major insurer, talked about how it’s, “People and culture and transparency and alignment.” And how, “The execs being real role models and leaders is very important,” in order to create an environment that is set up for success.

But there’s a big challenge to overcome first. And one panellist, head of data and analytics at a relationship bank, explained, “Internal competition is a big thing – head office vs regional. Success looks different for different people. It’s a competitive industry.”

So how can you address this challenge?

“How can you change something without talking to us?”
Cyber operations lead Major insurer

Action 1: lead by example

In many organisations, change is dictated from the top. This can create two problems:

  1. A ‘do as I say, not as I do’ culture.
  2. Decisions that are made without understanding the context and wider implications

As our cyber operations lead at a major insurer explained, “Executives need to lead by example. For example, IT was meant to change our anti-virus software, but they never came to us to talk about it – they don’t know the problems we’re facing at the moment. Just because a tool did well in one company doesn’t mean it’ll work well in this one. Let’s do an analysis of what the tool does so that we make sure we address these things otherwise we just bring the same solution.”

Every organisation needs leaders who are there to guide and oversee the day-to-day operations. But those leaders need to remember that they’re managing a team of specialists – the people who actually do the work every day, the people who understand how the business really operates and why.

Fail to engage them, and it’s a huge, missed opportunity, as well as having a massive, negative impact on employee morale.

Things to think about…

  • Invest in training for your management team. There are lots of managers who are promoted/ hired into the position without any prior experience. Invest in training, and they’ll understand how to get the best out of their team and unlock that valuable knowledge.
  • Create a feedback mechanism. Whether it’s an old-fashion suggestions box, regular team meetings or new software, you need something in place to capture your team’s insights, so you know what is/isn’t working well and how to continuously improve.

Action 2: make opportunities to work together

As organisations grow, it’s common for them to become siloed in the way they operate. As one panellist commented, “We are so big that we are siloed. We don’t want to be but that’s how it is.”

With those walls in place, collaboration isn’t just going to happen – it needs to be facilitated. But there is a right and a wrong way to encourage that internal collaboration. As our head of data and analytics at a relationship bank so aptly put it, “Engage rather than threat.”

By creating opportunities for new groups to form and work together, you start to create new working styles that have a wider impact across the business. One panel member, data privacy director at the insurance brokerage, explained how she had pushed engagement to bring her business together:

“Recently we were working on a cyber strategy and privacy was part of it. As we were fine tuning, I felt for the first time we are not in silos for this cyber strategy programme. It was all about the soft development in the background that led us to collaborate closer.”

Things to think about…

  • Identify the big business questions you need to answer, and then formulate specialised working groups to generate ideas to overcome the issue. By mixing data specialists, with technical specialists and business stakeholders, you’ll create more holistic ideas around managing data that people are automatically behind because they helped create them.
  • Use your internal communications channels to promote the collaborative efforts that are happening across the business. Use these channels to generate excitement for different initiatives, and how everyone is a part of it.

“At the beginning it is cowboy territory but slowly, it comes.”
Data privacy director Insurance brokerage

Action 3: focus on soft skills

Data may be the new cash, but you need to be able to articulate how to turn it into cash.

To encourage that collaboration, you’ve also got to create relationships within the business.

And you’ve got achieve senior buy-in in order to secure funding and support for your data programme.

These aren’t the sorts of things that can be achieved through rigid reports, pretty presentations or ‘death by data’ alone. No. They require softer skills, like listening, learning and liaising with people across the organisation.

As one panellist, former security lead for major international enterprises, highlighted, “There are a massive number of challenges. What are the blocks? What’s your biggest challenge this year?” these are the sorts of questions where the best answers are gained from engaging with individuals.

Things to think about…

  • Make time to invite people for a coffee and a chat. Get to know the real pains/opportunities within the business.
  • Once you’ve identified the priorities, seek out the data that’s necessary to back up your arguments.

“Trying to create a relationship within the business, creating goodwill [requires] soft skills and it’s not tangible – it’s esoteric.”
Data privacy director Insurance brokerage

Creating the foundations of good data management

During this event we heard from the panel about their experiences with data management – the good, the bad and the ugly – and in the process identified what best practice should look like.

There were several important themes to emerge from the discussions. Firstly, how the customer needs to sit at the core of all decision making because organisations need to do what’s in their best interests to protect their personal data.

Then considering how data privacy is everyone’s responsibility. We all have a part to play in protecting our company’s most sacred asset, which is why the policies that dictate how we interact with that data should be ingrained into our company’s DNA.

But more than that…

By bringing disparate people together to start modelling and understanding that data, you start to unlock its true value. It’s at this point that data starts to become a competitive advantage because it provides the insights needed to make better decisions.

However, achieving the ‘holy grail’ of data as an asset isn’t that simple.

When your business doesn’t actually understand the context of their data, views it purely as a threat to their operations, and approaches it with a siloed mentality, it’s tough to secure the funding and backing for new data programmes. To achieve buy-in from the business, the conversation needs to change so that for the first time, everyone’s reading from the same page and understands what data actually is.

Of course, this is all reliant on perhaps the biggest challenge.

Understanding what data you actually have in the first place. And this is where technology like Exonar’s should be leveraged to support an organisation’s efforts.

Now talk to Exonar about shining a light on what you could do with your data

We are offering you the opportunity to see how the Exonar suite of products can help you, by revealing what’s in your data estate, and shining a light on what you could do with that data to distil its value and improve your business. To do this, we offer a pilot project so you can trial it for free on 2 million items (or 1TB) of your data.

Start discovering your data today…

To sum up, the first steps to achieving a new world where data exists as a business asset can be defined as: