Don't gamble your company's reputation on data governance

Over the last two decades, the primary contribution of information technologies in firms has been about efficiency and enablement: to improve processes, make people more productive, reduce time to market, or enable things that couldn't be done previously. The focus has been on costs and payoffs. This decade is witnessing a new challenge: data. There is suddenly too much of it, and while firms rush to mine it, they do so without adequate regard for the risks in keeping and using it.

Hardly a week goes by without yet another major breach or scandal involving data. The last month has been particularly bad. Tom Tom sold location data to law enforcement without asking its consumers, Apple has been gathering consumer movement and use data on its devices, while >Epsilon and Sony were hacked, with sensitive data on hundreds of millions of individuals stolen. Despite reassurances from these companies, it is hard to be certain whether and when this data will be misused. More importantly, the reputations of these companies have been badly damaged.

Are these incidents any different in terms of potential impacts on franchises from product recalls due to defects in industrial products? Not really. And perhaps some companies are beginning to realize this. Indeed, one major positive development from the Sony fallout has been the creation by the company of a "Chief Information Security Officer (CISO)". This is a laudable step that others should follow. But it doesn't go far enough in acknowledging the real problem.

Sony and many other firms view the security and use of data as a technical problem. But in fact, the governance of data is a management problem. The lapses we are seeing are not technical ones, but failures in management. Where data is the lifeblood of commercial activity, its management in many industries must reside in the C-suite, not in the trenches.

Lapses in data governance in data-dependent industries are no different than product defects in the physical world. The reason is simple. Increasingly, it is information itself that is the product, with technology being the critical conduit for its exchange. Many industries that touch our lives on an everyday basis involve information products. If one considers the firms that we deal with every day, such as Google, Facebook, banks, media, and telecommunication companies, their products are information-based. Even when there is a physical product, digital interaction with consumers transforms part of the consumer experience into one that is information-based. Information products have different properties than traditional physical products and are subject to different economics and risks. Furthermore, the growing volume of data created as a by-product of this digital interaction brings with it significant benefits as well as risks.

CEOs who are insulated from technology have largely failed to grasp the implications of this shift in the role of information technology from enabler to product and still expect their technologists to deal with all aspects of data. This is a mistake. They must partner actively with their CIOs in assessing the importance of data to their product or service and the franchise to avoid the reputational risks from the lack of effective data governance.

Isn't It Time CEOs Were Held Accountable For Technology?

When an automobile has a defect, it involves the CEO. If a brake or gas pedal is defective or a tire substandard, the CEO steps in immediately to manage the fallout and address its customers directly. The same must be true for data breaches and misuse. The Sony data breach was an important milestone in that its chief apologized, albeit somewhat late, for a defect in its information-based product. While Sony appointed a dedicated CISO to deal with data security, it didn't go far enough in acknowledging that this is a management problem, not a technical one.

We believe that firms need to give the same level of importance to their firm's data governance policies as they do to their company's products, financial reporting practices, or brand equity management. Viewing data privacy management through the lens of network management or potential liability is too narrow. This isn't a legal, technological or compliance issue. Rather, it's an executive matter, one made more critical by the continual increase of data and the corresponding increase of risk in cyberspace. As devices become more powerful, providing more and richer electronic touch points to human activity, the scope of available electronic information explodes, and the associated risks to handling these data also grow exponentially. Companies actively collect and mine this data and even sell it without considering the risks, as the recent Apple, TomTom and Epsilon incidents reveal.

These developments strengthen the case for the CIO being a full-fledged member of the C-suite and embracing the new role of managing their firm's data with a more holistic and strategic approach. CIOs should partner with their CEOs in putting in place a coherent and transparent policy that defines the frequent and deliberate choices about what data to acquire, keep, use and share. A first question that such a policy might answer is: Do we keep too much data? Our research (in conjunction with NYU research scientist Jessy Hsieh) suggests that the answer to this question is generally "yes."

The less data you keep, the less you need to worry about keeping it secure. Next, it is essential to have a clear idea about the use of the data you keep, and specifically, to assess whether this use is congruent with the customers' intent when they provided it to your firm. We have developed a framework that provides executives with a roadmap for answering these questions, the details of which are available in our working paper titled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers," available from the Center for Digital Economy Research at the NYU Stern School of Business.

It took a global financial crisis to get the public to pay attention to systemic financial risk. There is equivalent and growing systemic risk in cyberspace. We hope it does not take a massive data breach at an Apple, Google or Facebook to make data governance a top executive priority. Because once that data is out there, it's out there for good, and there's no taking it back.

Vasant Dhar is the Daniel P. Paduano Fellow and Professor at NYU's Stern School of Business, and Director of Stern's Center for Digital Economy Research. Arun Sundararajan is the NEC Faculty Fellow and Associate Professor at NYU's Stern School of Business, and a Distinguished Academic Fellow at the Indian School of Business for 2010-12. Vasant and Arun conduct research about how information technology transforms markets and corporate strategy, with expertise in privacy, business intelligence and digital business models.

Read more about data protection in CIO's Data protection Drilldown.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags risk managementapplicationsSecurity | Data protectionbusiness managementsonyCIOdata protectiondata governanceData managementAppleCEOsecuritydata breachsoftware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?