It's a New, Challenging World for Data Governance

Data governance strategy is rapidly shifting from the defense to the offense.

John Edwards, Technology Journalist & Author

September 26, 2017

8 Min Read
Image: Shutterstock

For decades, data governance efforts have focused on compliance and security. While these two sectors remain essential, a growing number of enterprises are beginning to place user access on an equal, or nearly equal, footing.

Today's enterprises are increasingly data-driven, and data governance -- along with its compliance and security aspects -- needs to be flexible enough to allow data to be easily accessed by the people who need to work with it to solve business problems, drive new revenue, create value, and even monetize the data itself.

"Data governance policies are traditionally thought of as the external regulations and internal standards and requirements that must be complied with," observes Harald Smith, director of product management at data software specialist Syncsort. Yet many enterprises are now beginning to embrace a broader view. "Data governance policies [now] define the targets you wish to achieve in how your employees access, assess, utilize, and report on data usage," Smith says. "Providing a clear, consistent policy-based message that is communicated equally to all employees helps ensure they understand the framework for their use of data."

Data governance has, traditionally, struggled to meet the compromises needed to serve business needs while remaining rigid enough to enforce a centrally managed data governance policy. "New platforms and solutions using artificial intelligence now allow for more flexibility in their data model layers, which translates to some tolerance in policies that allow business lines to comply with the essence of data governance policies while rationing the flexibility needed to adapt to the 'new normal' pace of doing business in highly competitive markets," says Katrin Ribant, CSO and co-founder of Datorama, a marketing analytics solutions provider.


New attitudes

In the past, most data governance was focused on how data should be backed up or archived, making sure it was protected and that it adhered to data retention laws. "Now we see a shift in data governance as it puts more focus on how data is accessed and used in daily operations," says Ashok Reddy, general manager of mainframe at system software provider CA Technologies. "The reason for this shift is the increase in privacy regulations and the rise in very large data breaches than have significant financial impact."


Access control, data retention and other governance policies are all becoming more collaborative. "As more stakeholders, from IT managers to end users and partners are working with data, policies are changing to reflect the needs that each of these audiences requires," says Bennett Malbon, CTO at Novaseek Research, a life sciences IT company. "At the same time, we’re also finding that healthcare organizations are finding new ways to use the information they have to improve the patient experience, streamline their workflows and drive new revenue.


Data governance policies are changing from pure-play centralized hub-and-spoke to decentralized business-driven solutions, while enabling business technology to control the flow and integration, says Joseph Coniker, technology solutions principal and national business analytics practice leader at professional services firm Grant Thornton. "Data needs to be available to the right people at the right time for them to take action on any device or browser," he notes.

A balancing act

Security typically must balance risk against convenience, and data is no exception. "Data can be made more accessible if it is properly understood and techniques, rules and behaviors are enforced around its use," Reddy says. For example, requiring certain types of sensitive data to be masked or entire datasets to be encrypted along with restrictions on data use. "As needs for data become broader, more granular access controls and restrictions will better protect that data and allow those with business requirements for the data to easily access it," he observes.

Balancing data accessibility and security hinges on a fundamental equation of people, process and technology within a policy-based data governance framework, Smith states. "Since data governance policies dictate the information architecture -- which information can be made available within what parameters -- there isn't a one-size-fits-all approach," he explains. The technology implements a design that conforms to policy, including privacy and security requirements.

"Data lakes and information hubs are two common approaches, but these might be segmented into zones, such as an exploratory zone for data science and an analytical zone for use by many lines-of-businesses," Smith says. Processes will then determine how end users can learn about specific data policies, data lake contents and even how they should approach assessing and evaluating data quality for their particular needs. "Ongoing communication and education helps employees understand how they can help protect the data in their care," Smith says.

Ribant believes that maintaining decentralized data access with security requires a modern, multi-tenant architecture. "This is because there is a need to secure a central data model and spin off data marts, which can have flexible security -- ideally, low-level -- in a matter of seconds without involving the IT department, which can be a bottleneck if trying to work at the pace of today’s business environment," she explains.

Any security technology approach used needs to ensure that data can be available to the right people at the right time on any device or browser, Coniker observes. "The issue with making data available with such open characteristics is that it lends itself to significant privacy and security risks," he says. "This is an area where cloud solutions can play a role and have to be further vetted."

Coniker says that enterprises can create a secure environment, inside or outside the firewall, by using a SaaS platform. "Some software vendors provide this capability," he notes. Another approach for addressing both analytical and access requirements is PaaS technology, which allows solutions to be customized in the cloud for client specific interactions. Meanwhile, IaaS technology is available as a key component for locking down security and enabling privacy at the hardware, operating system, software and inbound network protocol levels, Coniker says.

More users = More risk

As general-use business intelligence tools become more accessible to a broader business population, more individuals will begin engaging in general data analysis.


Yet enabling more people to access increasingly granular -- and inevitably sensitive -- information raises the likelihood of a data leak from a lost or stolen laptop, a data breach or some other means, notes Cliff White, CTO of Accellion, a company that offers cloud-based file sharing and collaboration services. "By implementing a strategic governance policy that provides clear insight into where data sits and which individuals are accessing it, enterprise organizations can more confidently provide access to that data, which can result in greater benefit and efficiency in the long run," he says.

Smith believes that promoting data literacy is critical to ensuring that end users fully understand the business problems they are trying to address with their newly available data. "It’s easy to misconstrue data relationships, and the consequences of [making] poor choices of which data to include--or exclude--can have monetary consequences for an organization if it is shown that such usage produced biased decision-making," he says. An organization's data governance effort needs to cement the effective and appropriate use of data as well as establish policies and processes to support its overall governance goals. "Education, training and two-way communication, including employee feedback, is central to this," Smith says.

Yet enterprises must also live up to their governance obligations to managers and staff. "People must trust that systems are passing the appropriate, corresponding values that they want to see," Coniker says. "Although there is a diverse business population that has a shallower understanding of the handing of the data, they have a deeper understanding on the subject and the usability of the data."

More than just tools

Data governance is more of a process than a set of tools. "Although tools are helpful, companies need to understand their data [and] its inherent risks--especially risks of exposure or leakage--and understand the provenance of the data," Reddy says. The best first step, he notes, starts with discovering the data and classifying it to outline its sensitivity and inherent risk. "By sharing this core detail on the data, IT and the business can then begin to balance risk with convenience," Reddy says.

"There’s tremendous opportunity to leverage the broad range of available data--both internal and external--to improve business decisions, enhance customer experience and discover new insights, but making sure the people working with the data have the right understanding is key so as not to put the organization at risk," Smith says. "An offensive approach to data governance is central to this effort, both in establishing effective policies and processes and in ensuring effective communication to and from employees."

About the Author(s)

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights