Lately, we’ve been so focused on data governance, extracting the most value from our data and preventing the next big breach, many of us have overlooked IT governance fundamentals, which help us achieve great data governance.
The source of some of the confusion is that data and IT governance have very similar and interdependent goals. Broadly speaking, both processes aim to optimize the organization’s assets to generate greater business value for the organization.
Get the Free Pentesting Active
Directory Environments e-book
Since IT and data governance are so inextricably connected and vital to an organization’s operations, how about we compare and contrast the two.
What is IT governance?
IT governance ensures that the organization’s IT investments support the business objectives, manage the risks, and meet compliance regulations.
Examples of organization’s IT investments: physical and technical security, encryption, servers, software, computer and network devices, database schemas, and backups.
It’s often argued that these investments are considered a cost center rather than a money generator. Here’s some tough talk: organizations wouldn’t be able to operate, optimize or even generate revenue without IT.
In short: no IT, no data, and no business.
But good IT operations require dedicated leadership to ensure that tech investments are maximized.
Stakeholders involved in the success of IT governance include the board of directors, executives in finance, operations, marketing, sales, HR, vendors and, of course, the chief information officer (CIO) as well as other IT management.
The key individual who’s responsible for aligning IT governance to the organization’s business goals is the CIO.
To accomplish their goals, CIOs will often use existing data governance frameworks, created by industry experts. These frameworks also provide implementation guides, case studies and assessments. Here are some frameworks you may have heard of:
COBIT 5: A staple in the industry, this framework helps enterprises with IT governance, business optimization, and growth by leveraging proven practices. This framework is based on five key principles for governance and management of enterprise IT:
- Meeting Stakeholder Needs
- Covering the Enterprise End-to-End
- Applying a Single, Integrated
- Enabling a Holistic Approach
- Separating Governance From Management
ITIL: IT Infrastructure Library helps with aligning IT services with the needs of the business. Most known for their framework of five core publications, each book collects the best practices for each phase of the IT service lifecycle.
FAIR: This is new framework and according to their website, “they’re a non-profit professional organization dedicated to advancing the discipline of measuring and managing information risk. They provide information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective.”
When it comes to frameworks, you’ll have to decide which one works with your company culture and often times, organizations will find that a hybrid approach works the best.
And with proper IT governance, the chance for data governance success increases. Why? Execution and management of systems, applications, IT support and their management of data within a company will impact data governance.
What, then, is data governance?
Data governance refers to the management of data in order to improve business outcomes and fuel business growth.
So far, with the exception of asset type, data governance very similar to IT governance.
The stakeholders involved for data governance include all the individuals required for IT governance plus a few more executives: the board, executives in finance, operations, marketing, sales, HR, vendors, CIO, IT management.
However, the individual responsible for aligning data with the organization’s business metrics is the chief data officer (CDO). The CDO will also enlist data scientists, programmers, and any department that generates data, which is every department within an organization.
CDOs are a recent addition to the C-suite, and they help lead companies in generating business value from data. According to Gartner, 90 percent of large organizations will have a chief data officer by 2019.
Yes, a CDO is very much a technical role, but this position also requires business and change management skillsets. After all, they have to aggregate the data, analyze the data, and most challenging of all, get the business to act on the data.
Since this data governance is a relatively new field, there aren’t established frameworks, such as COBIT 5.
But based on my research and speaking with pros at conferences, a company’s executive suite should be asking some of the following questions:
- What is your business strategy?
- A data strategy isn’t going to generate a single incremental dollar for your business, it’s simply an enabler.
- Have you defined and communicated key objectives throughout your organization?
- You’re going to be wasting a lot of time, money and resources solving for a problem and if you don’t know what the business problem is.
- Do you have the right data and is it of sufficient quality?
- Without data quality, your data projects and analytics will inevitably fall short.
In talking with Jeffery McMillian, CDO of Morgan Stanley, I learned that he spends 90% of his time focused on the first two questions. Based on his experience, if you don’t get these right, everything else is pretty much null.
Keep data assets safe and secure. Get a free a risk assessment today.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.