CIOs: Being an Effective Data Custodian
Data and Information becoming a key corporate asset
According to Barbara Wixom at MIT CISR, “In a digital economy, data and the information it produces is one of a company’s most important assets”. (“Recognizing data as an enterprise asset”, Barbara Wixom, MIT CISR, 3 March 2015). Barbara goes onto suggest that businesses increasingly “need to take an enterprise view of data. They should understand and govern data as a corporate asset, even when data management remains distributed”.
CIOs are not the enterprise data steward
Given that data is a corporate asset, you might expect this would be an area for the CIO’s leadership. However, I heard differently when I recently met with two different groups of CIOs. Regardless of whether the CIOs were public sector or private sector, they told me that they did not want to be the owner of enterprise data. One CIO succinctly put it this way, “we are not data stewards. Governance has to be done by the business—IT is merely the custodians of their data”. These CIOs claim that the reason that the business must own business data and must determine how that data should be managed is because only the business understands the business context around the data.
Given this, the CIOs that I talked to said that IT should not manage data but “should make sure that what the business needs done gets done with data”. CIOs, therefore, own the processes and technology for ensuring data is secured and available when and where the business needs it. Debbie Lew from ISACA put it this way, “IT does not own the data. IT facilitates data”.
So if the management of data is distributed what is the role of the CIO in being a good data custodian?
COBIT 5 provides some concrete suggestions that are worth taking a look at. According to COBIT, IT should make sure information and data owners are established and that they are able to make decisions about data definition, data classification, data security and control, and data integrity. Additionally, IT needs to ensure that the information system provides the “knowledge required to support all staff in their work activities.”
IT must create facilities so knowledge can be used
This means IT organizations need to create facilities so that knowledge can be used, shared and updated. Part of doing this task well involves ensuring the reliable availability of useful information. This should involve keeping the ratio of erroneous or unavailable information to a minimum. Measuring performance here requires looking at the percent of reports that are not delivered on time and the percent of reports containing inaccuracies. These obviously need to be kept to a minimum. Clearly, this function is enabled by backup systems, applications, data and documentation. These should be worked according to a defined schedule that meets business requirements.
To establish a level of data accuracy, that is acceptable to business users, starts by building and maintaining an enterprise data dictionary that includes details about the data definition, data ownership, appropriate data security, and data retention and destruction requirements. This involves identifying the data outputs from the source and mapping data storage, location, retrieval and recoverability. It needs to ensure from a design perspective, appropriate redundancy, recovery and backup are built into the enterprise data architecture.
IT must enable compliance and security
COBIT 5 stresses the importance of data and information compliance and security. Information needs to be “properly secured, stored, transmitted or destroyed.” This starts with effective security and controls over information systems. To do this, procedures need to be defined and implemented to ensure the integrity and consistency of information stored in databases, data warehouses and data archives. All users need to be uniquely identifiable and have access rights in accordance with their business role. And for business compliance, all business transactions need to be retained for governance and compliance reasons. According to COBIT 5, IT organizations are chartered to ensuring the following four elements are established:
- Clear information ownership
- Timely, correct information
- Clear enterprise architecture and efficiency
- Compliance and security
There needs to be a common set of information requirements
But how are these objectives achieved? Effective information governance requires that the business and IT have a strong working relationship. It, also, requires that information requirements are established. Getting timely and correct information often starts by improving how data is managed. Instead of manually moving data or creating layer over layer of spaghetti code integration, enterprises need to standardize a data architecture that creates a single integration layer among all data sources.
This integration layer increasingly needs to support new sources of data too and be able to do so at the speed of business. Business users want trustworthy data. An expert on data integration “maintains that at least 20 percent of all raw data is incorrect. Inaccurate data leads data users to question the information their systems provide.” The data system needs to automatically and proactively fix data issues like addresses, missing data and data format problems. And once this has been accomplished, it needs to go after redundancies in customers and transactions. With multiple IT-managed transaction systems, it is easy to misstate both customers and customer transactions. It is also possible to miss potential business opportunities. All of these are required to get accurate data.
Data needs to be systematically protection
Additionally, data need to be systematically protected. This means that user access to data needs to be managed systematically across all IT-managed systems. Typical data integrations move data between applications without protecting the source data systems’ rules. A data security issue at any point in the IT system can expose all data. At the same time, enterprises need to control exactly what data are moved in test environments and product environments. Enterprises must also ensure that a common set of security governance rules are established and maintained across the entire enterprise, including data being exchanged with partners, employees and contractors using data outside of the enterprise firewall.
Clearly, COBIT 5 suggests that CIOs cannot completely divorce themselves from data governance. Yes, CIOs are data custodians but there are clear and specific tasks that the CIO and their staff must uniquely take on. Otherwise, a good foundation for data governance cannot be established.