This chapter assumes data is a key asset that, if lost or damaged, severely disrupts business capability and reputation. The chapter has one core purpose, to provide leaders with sufficient understanding of two data management fundamentals, data privacy and data security. Without that understanding, Information Technology (IT) security will always be seen as a cost on, not an investment towards, quality and performance. The chapter reviews the relationship between data privacy and data security. It argues that data security cannot be achieved until data privacy issues have been addressed. Simply put, data privacy is fundamental to any data usage policy and data security to the data access policy. The topic is then discussed in broader terms, in the context of data and information management, covering various themes such as cyber-crime, governance, and innovations in identity management. The chapter's intended outcome is to clarify the relationship between data privacy and security and how this understanding helps reduce data abuse. The link between privacy and security will also demystify the reason for high costs in implementing and maintaining security policies and explain why leaders need to provide stronger IT strategic leadership to ensure IT investment is defined and implemented wisely.
TopIntroduction
Knowing the net worth of company assets is important but insufficient for optimizing assets. Knowing where and how they are held is equally, if not more, important: who has influence over their use will influence their net worth. This is as true for data in computer systems as for tangible assets such as artwork.
Take, for example, a valuable painting sitting in an office. It will have security built around it, such as alarms to notify if it is moved without authorization, and insurance in case of damage or theft. The value and accessibility of each painting owned is taken into account, leading to a mix of homogenous and bespoke protection. It is also easy to detect if artwork has been damaged, lost or stolen because we can see its presence or absence. We need to set up an equivalent approach for our data.
The harsh reality is that data security is extremely labor intensive. Ensuring we know where data is and who can access it, requires as much expertise as was required to produce the related intellectual property in the first place. The main reasons are that data is extensive and diverse. Data reaches every corner of the organization; we would be hard-pressed to identify processes without any. Data is diverse for many reasons explained later on but the main one for leaders to take note of is that data forms the basis of, as well as being integral to, key decision-making, financial numbers, corporate monitoring and, ultimately, a store of wealth known as intellectual property. This diversity requires an equivalent understanding of data’s net worth in the same way each piece of artwork does.
The combination of reach and diversity is supported by complex computer networks, enabling high volume storage facilities and high speed transfer of assets – capabilities posing a number of technological challenges to ensure the benefits arising from data are achieved.
The research for the chapter’s content is based on the work from Gartner and ISACA, who are leaders in the IT security industry. Both make accessible the science coming from the IT industry for practical implementation by technical and non IT-technical business leaders. A broader range of literature was read to establish the detail. The references, at the end of the chapter, refer directly to points made in the chapter.
From this research, the chapter establishes the type of understanding leaders need to have, to assess their data’s net worth and thus the level of protection needed. The key points covered in this chapter are:
- •
The broader business engagement in IT.
- •
The different and complementary aspects of data privacy and data security.
- •
Understanding the data life-cycle and how that influences privacy and security.
- •
A review of what is meant by ‘access rights’ and ‘CIA’ relating to ‘confidentiality’, ‘integrity’ and ‘availability’, and how the latest innovations in information technology are making decisions around IT more complex.
- •
Identifying the governance aspects.
- •
Solutions and recommendations.
As the chapter unfolds, it becomes very clear that managing and protecting data is a fundamental governance requirement and as much a board issue as strategy and finance.
At the end of the chapter, some thought is given to trends and how data will be managed in the future.
There is an ongoing case study to identify concerns, to ‘contrast and compare’ two different approaches and show how the corporate ‘mindset’ influences decision-making.
TopThe Broader Business Engagement In It
High-level policies on data usage and protection are far removed from the reality of implementation. A general approach to data security is to protect data whilst making it accessible, as flexibly as possible, without compromising that protection and making sure it is always available when needed. The more flexible access is, the greater the protection needed. That requires more complex security, which is resource-intensive and expensive.