Abstract
The proliferation of data exposure via social media implies privacy and security are a lost cause. Regulation counters this through personal data usage compliance. Organizations must also keep non-personal data safe from competitors, criminals, and nation states. The chapter introduces leaders to the two data governance fundamentals: data privacy and data security. The chapter argues that data security cannot be achieved until data privacy issues have been addressed. Simply put, data privacy is fundamental to any data usage policy and data security to the data access policy. The fundamentals are then discussed more broadly, covering data and information management, cyber security, governance, and innovations in IT service provisioning. The chapter clarifies the complementary fundamentals and how they reduce data abuse. The link between privacy and security also demystifies the high resource costs in implementing and maintaining security practices and explains why leaders must provide strong IT leadership to ensure IT investment is defined and implemented wisely.
TopIntroduction
Data is the bedrock for Artificial Intelligence (AI), Machine Learning (ML) and the Internet of Things (IoT). Many businesses take advantage of the significantly different data capabilities they offer from those available through traditional technologies (Patel, K., & Lincoln, M. 2019, p.6). The coming of 5G on mobile networks means that more and more data can be created and consumed ever more quickly. We have the 21st century gold rush.
In the past, data was not seen as valuable asset. Now able to analyze unstructured and structured data, much of it personal, places data at the heart of understanding every potential customer to create tailored products and services. As the research company, Forrester (2011), states, it is “the age of the customer.... Empowered by technology, customers have more leverage and higher expectations than ever before.”
Data abuse, in combination with public opinion and the related data privacy laws, such as the European Union’s General Data Protection Regulation (GDPR), means that organizations must demonstrate a duty of care over the personably identifiable data they hold to avoid fines. These requirements apply equally well to all valuable data. Data privacy and data security are core to sound data management.
What does this mean in practice? Knowing the net asset worth is important but insufficient for optimizing assets. Knowing where and how they are held, and who can access them is equally important. This is as true for data as for tangible assets, such as artwork.
A valuable painting in a gallery will have security designed around it. The value and accessibility of each painting owned is fully considered, leading to a mix of homogenous and bespoke protection. The painting’s presence, absence or damage are easy to detect. We need to set up an equivalent approach for our data.
Data is extensive and diverse forming the basis of, as well as being integral to, key decision-making, financial numbers, corporate monitoring and, ultimately, a store of wealth known as intellectual property. The combination of reach and diversity, supported by complex computer systems providing high volume storage facilities and high-speed data transfers, pose many technological and security challenges that must be solved to ensure the benefits arising from data are achieved. Data’s net worth requires an equivalent understanding to the way artwork is valued.
The research for the chapter’s content is based on the work from Gartner, Forrester and ISACA, who are leaders in the Information Technology (IT) security industry. Both make the science from the IT industry accessible for practical implementation by IT technical and non-technical business leaders. A broader range of literature was researched to establish the detail and are referenced at the end of the chapter.
From this research, the chapter establishes the type of understanding leaders must have to assess their data’s net worth and thus the level of protection needed. The key points covered in this chapter are:
- •
Broader business engagement in IT.
- •
Different and complementary aspects of data privacy and data security.
- •
Understanding the data lifecycle and how that influences privacy and security.
- •
A review of what is meant by ‘access rights’ and ‘CIA’ relating to ‘confidentiality’, ‘integrity’ and ‘availability’.
- •
How the latest innovations in information technology are making decisions around IT more complex.
- •
Identifying the governance aspects.
- •
Solutions and recommendations.
As the chapter unfolds, it becomes clear that managing and protecting data is a fundamental governance requirement and as much a board issue as are strategy and finance. At the end of the chapter, thought is given to future trends.
There is an ongoing case study to identify concerns, to ‘contrast and compare’ between two different approaches and show how the leadership mindset influences decision-making.
TopBusiness Engagement In Controlling It Privacy And Security
The desired aim is to protect data whilst making it accessible without compromise. The more flexible access is, the greater the protection needed, demanding more complex security.
Key Terms in this Chapter
Gartner: A leading information technology research and advisory company. See https://www.gartner.com/ .
CIA: Stands for ‘confidentiality’, ‘integrity’, and ‘availability’, and describes the desired attributes for data to trustworthy, accurate, and accessible to only those who have permission to use it.
Virtual Environments: Several entities sharing, independently of each other, a physical location or equipment. For example, a physical database is divided into separate, logical entities, each independent of the others. It enables different organizations to share the same infrastructure, creating economies of scale that are cheaper to use than every organization having their own physical location or equipment.
European Commission: The executive arm of the European Union, formulating policy and drafting most community legislation.
Knowledge: Having understanding, based on information and experience, to make sound assessments and decisions.
Data Lifecycle: An illustrative phrase describing the many manifestations of data from its raw, unanalyzed state, such as survey data, to intellectual property, such as blueprints. Time plays a role, too, making what was once highly prized information, such as the opening ceremony program of the 2012 London Olympic Games, now obsolete.
Data: Both a generic and specific term to describe information now typically stored on computers. It is used generically when the structure and subject matter is unknown. It is used specifically when ascribed to a defined data set, such as ‘statistical data’. The term. Often referred to as Big Data or Data Lakes, these describing large volumes and varieties of data, increasing daily by volume and subject matter. Data is both structured, where the data must conform to certain rules, such as financial transactions, and free flowing, where no or little structure is required, such as the information shared via social media. See also ‘data lifecycle’.
Internet of Things (IoT): A network of physical objects that have, like cell phones and laptops, internet connectivity enabling automatic communication between them and any other machine connected to the internet without human intervention.
European Union: An economic and political alliance of various European nations. There are 27 nations at the time of publication.
Forrester: A leading research and advisory company. See https://go.forrester.com/ .
Machine Learning (ML): A computer program having the capability to learn and adapt to new data without human assistance.
Data Commissioner: Typically, an independent authority that exists to protect information rights in the public interest, promoting openness by public bodies and data privacy for individuals. In the United Kingdom, the role is known as the ‘Information Commissioner’.
Cloud: The virtual world in which information technology tools and services are available for hire, use and storage via the internet, Wi-Fi and physical attributes ranging from IT components to data storage.
Social engineering: Manipulating people to reveal confidential information that will usually be used in criminal activities.
Data Abuse: The misuse of data, normally with malicious intention, causing harm or unfair gain through breaching ‘CIA’ or good governance practices.
Identity Management: Ways of defining and controlling access rights to data, applications and operating systems. The term is frequently associated with 3 rd party tools and services. Their value is in providing effective and efficient control to solve a fundamental but complex need.
Cyber: A prefix often associated with the vulnerabilities to, and control over, the flow of data across internet. Frequently occurring terms are ‘cyber-threats’ and ‘cyber-security’.
Artificial Intelligence (AI): Machines that work and react like humans using computer programs known as algorithms Algorithms must remain current for AI to work properly, so they rely on machine learning to update them with changes in the worldwide economy and society.
5G: The next generation of mobile networks.
Knowledge Management: The methods and underlying policies for sharing information effectively so that the sum of the skills, experience and entrepreneurial attributes of all stakeholders is greater than the sum of the individual parts. If done well, each stakeholder also benefits, thus increasing the ‘sum of the individual parts’ that go on to increase the ‘sum of the whole’ in a virtuous circle.
Morals and Ethics: Ideas or opinions driven by a desire to be good = morals. Rules that define allowable actions or correct behaviour = ethics. Definition adapted from Dictionary.com. See https://www.dictionary.com/e/moral-vs-ethical/ .
Governance: The tangible and intangible way firms behave and relate with stakeholders. Many nations have codified the behavior and accountability expected of directors to provide equitable treatment all stakeholders.
ISACA: Provider of practical guidance, benchmarks and other effective tools for all enterprises that use information systems. See https://www.isaca.org/ .