Data is increasingly becoming the currency for organizations. Michelle Dennedy, Chief Privacy Officer for Cisco said, “We are entering an age where enterprises are effectively data bankers.” This is particularly the case for organizations driving disruptive business strategies.
According to Jeanne Ross of MIT/CISR, there are two types of digital disruption taking place in enterprises today – customer engagement or value-added digital business services. Each of these has organizations putting data at the center of the business.
Disruptors either use data to change how they engage their customers or to change the value extracted by customers and thereby, how revenue is obtained. For the latter, think about what GE has done to change its business model by moving from equipment to services.
When you put data at the center of an organization’s business strategy, you change its business fundamentally. Chief Information Officers call the insights extracted from data as either the gold at the end of the rainbow or as providing the muscles to compete. It should be clear that tangible business value is created here, regardless of which digital strategy your organization is pursuing.
But think about the impact to customer experience if you do not protect the privacy of those that are in a customer insights database. As you put together more of your customers’ digital lives for omnichannel marketing, the risk of unauthorized release of customer data increases. Meanwhile, in cases where data becomes the product, there is real risk if what you are charging for becomes released for all to see.
The economic impact of either loss is significant. This means that incumbent digital disruptors need to put real attention and dollars into protecting their data directly. In fact, one banking CIO suggested that Fintech startups do not have the resources to compete against the major financial industry incumbents at protecting data. They cannot afford to do what the majors do, and this CIO suggests that protecting data can even become a basis of go-forward competitive advantage.
With sensitive data being at risk of a potential attack, those in charge of digital strategies are waking up to the need to adopt more rigorous policies and capabilities to protect data as it moves from a corporate asset to a foundational business capability. The goal should be to stop targeted cyberattacks from creating data losses for “the gold at the end of the rainbow” that drive customer engagement or value-add digital businesses.
In order to protect data, CIOs and Chief Information Security Officers (CISOs) say to me the emphasis needs to move from the application to the data touch points. This requires that data security be baked in from the start. CIOs say security today needs to be systematic, with the ability to centrally govern data access and enforce protection policies across every location that data flows – at rest, in use or in motion.
This is essential regardless of the nature of customer or digital business service data (structured, semi-structured or unstructured) and irrespective of how it is stored (traditional database, a big data file system or cloud-based BI systems).
For many, it is a big change in approach, but according to experts like Michelle Dennedy, it is the next step because it protects the value. Dennedy co-authored "The Privacy Engineer's Manifesto: Getting from Policy to Code to QA to Value". I am not sure if every organization thinks this way, but in Dennedy’s manifesto, she suggests that privacy and data protection need to be “purposely architected” into the systems that run today’s enterprises. And doing this clearly matters where customer satisfaction is an imperative or where regulatory pressures exist.
Dennedy suggests that as the information age progresses, what is needed to protect privacy and data needs to change. The below chart aims to summarize the manifesto’s argument.
The move to the right needs to occur because people, devices and systems “seamlessly make handshakes, connect and process information.” In this environment the only way to protect data, according to Dennedy, is to protect data rather than the things that surround it. Data-centric and person-centric requires a “proactively engineered systems architecture.”
Clearly, data is now foundational to digital disruption, and getting data protection right should be part and participle of digital disruption strategy. There is much to do to get it right, but to me getting it right starts by maturing from perimeter and identity security to data-centric and person-centric security. This is how you can reduce risk and govern security from policies.