Solving the Non-Invasive Data Governance Puzzle

Unveiling Non-Invasive Data Governance

Non-invasive data governance “advocates for the least amount of disruption while still effectively managing and ensuring the quality, privacy and protection of data in an organization.”  It’s come to the forefront of corporate data governance discussions because so much about it depends upon internal user practices.

To illustrate, in mid-2021, 94% of organizations surveyed for Egress reported that they had suffered insider data breaches. One year later, 67% of employees queried in a second survey acknowledged  that they had failed to adhere to corporate cybersecurity policies, according to Harvard Business Review.

Employee non-adherence (or in some cases, lack of knowledge) to security and governance policies is one reason why more companies are using social engineering audits to review practices in user departments. Another reason for lapses in governance is employee stress, which in 2023, according to Gallup, was at 44% of all employees.

Companies don’t want stressed-out employees, but they don’t want poor data governance, either, and they know that data governance is not a job that IT can do independently.

The question is: How realistic is it to expect employees and user departments to do their own data governance policing?

Related:Edward Norton, AI, Arts, and Governance at Salesforce Conference

The Goal of Non-Invasive Data Governance

Data governance requires user adherence to policies, but an equally significant challenge is rendering data governance as non-invasive to users as possible. Users don’t want to get new tasks that seem “extra” to their job responsibilities. Consequently, it makes sense to look at data governance through the lens of what users are already doing daily.

Non-Invasive Data Governance Best Practices

User managers are responsible for giving IT a list of their staff members, along with the levels of authorization for IT resources that each staff member needs. User managers are also responsible for letting HR and IT know of any staff members who are transferring to other user departments or leaving the company so authorizations for these personnel can be changed or eliminated.

It is now standard practice in most companies for employees in user areas to immediately report any unusual emails so IT can investigate the emails for legitimacy.

In many cases, IT already sends monthly reports of system usage for all staff members to their respective managers for review. The purpose of the reports is for managers to check employee system usage for any abnormalities.

All of these steps are helpful for maintaining corporate data governance. They are also tasks that users routinely do.

Related:Lessons for Healthcare from Finance About Data Governance

The goal in a non-invasive data governance strategy is to ensure that users continue to do what they already do, while avoiding the addition of new data governance tasks to user workloads.

Using IT Automation to Enforce Enterprise Data Governance

Another way to render data governance non-invasive to users is to employ automation software to enforce data governance.

Automation solutions are available for operations such as these:

Multi-factor authentication that requires user sign-ons to IT resources beyond just a user ID and password (e.g., by adding a third element such as biometric identification).

Data cleaning and preparation tools that vet and ensure that data is correctly formatted, accurate and able to integrate with other forms of data in central data repositories before the data is admitted into those repositories.

Automatic track and trace tools that can detect and monitor user activities at all points in the network and immediately issue an alert if a usage anomaly is detected.

The deployment of zero-trust networks that not only secure the outer boundaries of networks, but also internal boundaries for specific IT systems and assets that only certain users are authorized for.

Related:Can Generative AI and Data Quality Coexist?

SD WAN (software-defined wide area network) and SASE (secure access service edge) solutions that extend data security beyond the walls of internal enterprise networks and that offer advanced tools and automation to ensure that cloud-based data operations are secure.

Automated software security updates that push out updates to end user devices.

IT device tracking that locates lost or misplaced devices and shuts them down.

Data encryption from cloud to cloud and from cloud to data center that ensures that data is secure while in transit.

What Else Can Be Done to Make Data Governance Less Invasive?

The Harvard Business Review study cited above noted that when employees willfully violated corporate security and governance policies, the three most common reasons were “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done.”

By using automation and ensuring that as much as possible that no more is asked of users beyond what they normally do for data security and privacy, IT can make data governance as non-invasive as possible for users.

However, there is a caveat: Users can’t be excused from all participation and responsibility in data governance.

Following policy is the optimal way to ensure sound data governance, but periodically performing third party social engineering audits should be another approach.

User participation in these audits is a small “ask,” and if it can save a company millions or even billions of dollars in mitigation fees that can come as a result of a data breach, it’s certainly worth it.