CDOs say data accessibility plans should be theirs to lead

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchbusinessanalytics.techtarget.com/news/4500250664/CDOs-say-data-accessibility-plans-should-be-theirs-to-lead

The question of what data to liberate for use in self-service analytics
applications and what data to lock down continues to vex many businesses.
Most organizations today would like to consider themselves data-driven, and
at the heart of that posture is often a self-service ecosystem that gives
large numbers of users access to data and the ability to analyze it. At the
same time, large-scale data breaches continue to dominate headlines,
highlighting the risks of open access.

For Nicholas Marko, chief data officer at Geisinger Health System in
Danville, Pa., it's up to CDOs like him to figure out how to strike the
balance between data accessibility and security. Speaking at the 2015 MIT
Chief Data Officer & Information Quality Symposium in Cambridge, Mass.,
last week, Marko said responsibility for an organization's data strategy
isn't really a good fit anywhere else. It requires more strategic thinking
than IT departments typically are used to and is less focused on the
traditional domain of CIOs, the selection of new hardware and software, he
added. But he sees it as a good match for the chief data officer (CDO),
whose job descriptions are still being written in many organizations, but
generally include responsibilities related to the strategic use of data.

Finding the proper balance between accessibility and security is crucial to
the success of business intelligence efforts. The easiest way to protect
data is to lock it away behind a firewall, but the more layers of security
you add, the more difficult it is for users to access information. That can
hamper data sharing and self-service BI and analytics projects.

Working in healthcare, Marko said he's seen the pendulum swing too far in
the direction of locking down data. This is partly due to particularities
of the industry, which is governed by the federal Health Insurance
Portability and Accountability Act, a law that specifies strict patient
privacy requirements. In many cases, "the problem isn't securing data," he
said. "Sometimes the problem is un-securing data."

Breaches breed more caution on risks

Not every industry faces the same kind of regulatory stick when it comes to
protecting data. But with the large number of high-profile data breaches in
the past few years, more and more businesses in less regulated industries
are also seeking to minimize their risks. Even without the threat of
regulatory punishment, there's still the risk of reputational harm -- as
well as possible financial losses and legal liabilities -- that can come
from a breach.

That's not to say balancing data accessibility and security is a glamorous
task. Figuring out which data is sensitive and needs tight protections, and
identifying employee roles that should be granted access to data can be
political and time-consuming. Business departments often control their own
systems and don't want anyone telling them they're going to have limited
access to the data in those systems.

Derek Strauss, CDO at online brokerage TD Ameritrade Inc., said during a
session at the conference that when he first took on his current role four
years ago, he didn't want to go anywhere near the issue of data
accessibility because it was so political. But, he added that he came to
see it as a central function of his role. No one in the organization is
better positioned to bring together heads of different departments and help
them come to a consensus on accessibility versus security, Strauss said.
"The CDO has to step into that role and orchestrate the solutions."

Some separation of data is natural

The biggest thing a CDO can do to support a healthy balance between access
and security is to partition data logically through classifications and
privilege settings, conference speakers advised. Marko said that
identifying and classifying data according to metadata tags can be helpful.
Mark Ramsey, CDO at U.K.-based pharmaceutical maker GlaxoSmithKline PLC,
said setting access privileges based on report type is also a good way to
maintain access control through partitioning.

For example, Ramsey said that reports about a company's financial
statements are highly sensitive and shouldn't be shared widely throughout
the organization. On the other hand, location-based marketing data is
usually rather general and, therefore, not all that sensitive -- as a
result, there's less at stake when it is accessed by users. "All data is
not created equal," he said.

Not everyone agrees that balancing data accessibility against security
should be within the purview of the CDO. Eugene Kolker, CDO at Seattle
Children's Hospital, said during the same panel discussion in which Marko
took part that his organization and many others already have a chief
information security officer. In his view, the CDO should be more focused
on making sure employees understand the data they have access to and are
knowledgeable about the tools they have at their disposal. It would
effectively be doubling up on that person's efforts for CDOs to engage so
heavily in the realm of data security, Kolker noted. "The CDO can't do
everything," he said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!