While many MSPs are just beginning to explore the business opportunities around cybersecurity, the need for data governance has actually been an issue for years, if not decades.
“There’s always been a focus on data governance – ever since systems and applications took to the mainstream to help organizations run their businesses,” David Washo, client services partner at digital transformation consultancy AHEAD, told ChannelE2E. “Whether or not organizations knew at the time to call it ‘data governance’ or information management or data management, organizations have always known that taking care of one’s data is an integral part of business operations.”
Effective data governance is a critical part of a comprehensive cybersecurity strategy. It ensures that data is consistent and trustworthy and doesn't get misused. It's increasingly critical as organizations face expanding data privacy regulations and rely more and more on data analytics to help optimize operations and drive business decision-making.
Data governance is a core component of an overall data management strategy. But organizations need to focus on the expected business benefits of a governance program for it to be successful. Washo said that recently, with the rise of AI and more sophisticated tools and technologies, there has been a rekindled interest in data governance capabilities.
The Rise of AI Puts New Focus on Data Governance
"Specifically, for those organizations already on their journey, the focus is on what needs to change, and for those organizations starting out their journey, the focus is on how best to unfurl the capability. Do they follow traditional patterns like data domains, data stewards, and data quality? Or do they use more advanced techniques like the use of ML models and deploy advanced data catalogs and build data governance into data architectures and limit human involvement as much as possible?" Washo said.
Of course, growing regulatory compliance statutes and mandates sometimes dictate the approach MSPs must take, and can vary depending on region, vertical market and other factors.
"For global organizations, the General Data Protection Regulation (GDPR) is a big one, which focuses on protecting personal data collected and the right to remain private or anonymous," Washo said. "The California Consumer Privacy Act (CCPA) applies to California residents and is similar to GDPR, with a focus on the right to be forgotten -- to delete data -- and opt-out rights from sales campaigns. For example, not using [a customer's] personally identifiable information (PII) to sell to a third party without my consent."
If this sounds incredibly complex, rest assured -- it’s usually less invasive than organizations may think, Washo said. It’s usually just a matter of pulling together an organization's more savvy data experts (whether by subject area or domain) and starting to build a plan around better management of data, he added.
"Most times, organizations are doing some type of data governance already, but it’s being done informally. It’s the formality of certain processes, decisions and roles and responsibilities that truly brings the data governance capability to life," Washo said. That includes formalizing the answers to questions including how decisions made on data. Who calls the shots? Who’s ultimately responsible for high-quality data? How do we know data can be trusted? Who’s responsible for the remediation of data errors?
"How does the organization mobilize around its most important data? How are IT and business teams working together? All of these questions are the core of what data governance answers," Washo said. "A great way to start is by declaring that a company will formalize this capability, then define it and get moving – focus on small wins and ensuring executive sponsorship is strong."
Putting it All Together
To make it easier, Washo said, it's important to start with a good understanding of the differences between data governance and data management and ensuring that not only the day-to-day practitioners know the difference but executives do, too.
"Data governance establishes the guard rails for data management (in other words, how it should be done). Data management is the day-to-day blocking and tackling of tasks for the management of data," Washo explained. "Data governance works in partnership with data management functions. One way to make the entire function easier is to make sure there are clear roles and responsibilities. Without clear ownership and roles and responsibilities, technology enablement will be a mess and it will always be slightly unclear vis-a-vis the value and who is doing what," he said. Start simply with understanding core capabilities, gaining executive support and sponsorship, communicate often and use tech to enable these capabilities when it’s right, he said.
Other key factors that are often overlooked are the cultural and communication aspects where data governance and data management programs often stumble. As an example, Washo explained, perhaps there's an unclear understanding from leadership on what data governance is and how it can help the organization.
"Executives and management need to understand that data governance is a journey and prepare for the necessary cultural shift by focusing on new ways of working," he said. "There may not be immediate wins, but over time, an organization will see benefits. It’s very similar to exercising; a few trips to the gym will not produce immediate results. It’s the discipline and repetition of actions where results start to appear over time."
Frameworks can be helpful here, but Washo stressed that they should be used as a guide, not followed as strict gospel. "The Data Management Body of Knowledge (DMBOK) is a timeless trusted source," he said. "All frameworks, in fact, should be used as guide, but data governance programs should be specifically tailored to one’s own organization. The Capability Maturity Model Integration (CMMI) has a Data Management Maturity Model (DMMM) which is also a good guide to follow. The maturity model aspects can allow an organization to rate themselves on their overall maturity based on consistent and comparable benchmarks, Washo said.
As part of a comprehensive cybersecurity strategy, MSPs and the organizations they serve need to invest in becoming data-driven. Regardless of how they refer to the capability – data enablement, data management or data transformation - making sure the appropriate roles and responsibilities and the business results are clear will help everyone stay more secure.