Modernizing Authentication — What It Takes to Transform Secure Access
"My role as chief data officer is to oversee four things ... that I think are critically important," said Nick Marko as he moderated a panel discussion on the evolving role of the CDO in health care at the recent MIT Chief Data Officer and Information Quality [CDOIQ] Symposium. Marko, former chief data officer of Geisinger Medical Center and current head of Geisinger Health System's data department, offered his list:
- Data governance
- Data management
- Data science
- Data strategy
Marko did not mention data security. He focused instead on the aspects of data governance involving accessibility, which some consider security's mortal foe.
Marko described his view of data governance as: "How do I eliminate all the barriers that have sprung up here over the course of the last 20 years to prevent people from getting to their data ... Really make it [about getting] information to people quickly and without barriers."
From this perspective, it is easy to imagine the chief data officer and the CISO fighting over ideological differences and turf wars. These two C-suite roles, however, can and should partner up to make each other more effective, given their mutual interest in effective data management.
Below are three tips gleaned from the MIT CDOIQ Symposium on how CDOs and CISOs can become better business partners.
Clarify Roles and Relationships of CISO, CDO
During a CDOIQ session titled Securing Big Data, an audience member asked presenter Shamla Naidoo, IBM's CISO and vice president of IT Risk, about her interactions with the CDO's office. Naidoo's reply came quickly and simply.
"We treat them just like another business unit," she said. "As they build out ... we've already given them a list of things we want to see in the infrastructure."
Another attendee asked how Naidoo resolves differences of opinion with her CDO. Naidoo said it comes down to knowing -- and clarifying -- whose job it is to do what.
"We [in information security] do not focus so much on Big Data; we focus more on the infrastructure," Naidoo said. "I'm providing services that go across the company [that] everyone else consumes ... They're responsible for execution across the board [of those services]."
Just as the CDO must answer to the CISO on information security issues, the CISO is beholden in the same way to the CDO regarding data-related issues, she noted.
"The CDO is responsible for [data] strategy and operations," said Naidoo. "Analytics is something that each group [deals with]. The CDO is part of the analytics team, and is basically doing all the analytics for us, providing [us with a] service."
Make Data Governance Everyone's Responsibility
Not all CDOs take the tack that Marko does in making data governance a top priority for their office. In a panel session titled Perspectives on Evolution of the CDO Role, GlaxoSmithKline CDO Mark Ramsey argued that the two-way street that Naidoo describes works well when data governance is taken off of the CDO's plate and served buffet-style to the rest of the business.
"We purposely have put data governance as a responsibility of one of the senior executives within the business, and that's where the [role] runs," said Ramsey. "If there are technical things to resolve, situations that they identify, then IT supports that ... We got it wrong before when we were like, 'Hey, 'data governance'! I got 'data' in my title!'"
One benefit of this approach, explained Ramsey, is that "a lot of pain" of data governance -- and accordingly, data security -- resides with the stakeholders themselves, requiring them to shape up.
"It's going back to the folks who created the data," said Ramsey, who noted that business stakeholders begin to realize, "If I just do it right [to begin with], I don't get all these questions."
Data governance is necessarily a joint effort, Naidoo agreed -- primarily because it will allow proper buy-in and preempt potential conflict.
"We've got about eight to 10 business units that operate as Fortune 100 companies," said Naidoo. "So when I came in, I didn't know what governance structure they had; so I said, 'You know what? Forget what you have. Delete it; we'll start again.'"
According to Naidoo, this allowed IBM's business units to collaborate on a set of mutual goals for the entire company -- which are now navigated by a governance committee comprised of business unit leaders and two of CEO Ginni Rometty's direct reports.
"I let them debate," she said. "For any big [security] incident that happens in the company, I have a direct line to [the CEO]."
Find Right Balance between Risk, Accessibility
While the chief data officer and the CISO (or security-minded CIO) may have different goals, ultimately one's success is the other's -- and one's failure is the other's.
Yet this is unintuitive, as CDOIQ attendees noted.
"Often there's a need to take a little more risk [as a CDO]," said one audience member at a panel that featured Ramsey and GlaxoSmithKline CIO Daniel LeBeau, pointing to the sharp difference between the "risk-taking, fast-failing" CDO and the more risk-averse CISO or CIO. "How [have] both of you partnered [in] increasing the risk tolerance of folks?"
"I think [partnership is] very important ... because we probably deal with more legal compliance risk than [do] other companies," said LeBeau. "It's absolutely fundamental to find the right balance between transparency and [data privacy and security]."
Despite the risk environment at his heavily regulated company, Ramsey said he strives to educate others across his organization that an aversion to act in a risky environment is often riskier than data-related business actions that are perceived as high in risk.
"My new best friend is the chief information security officer," Ramsey said. "We've learned a lot and we're continuing [to learn]."
Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate communications and data privacy consultant, writer, speaker and bridge player. Follow him on Twitter at @JoeStanganelli.