117
This is the final advisory in my series about "becoming a Data Driven Decision making Business" and hopefully you have been able to glean some practical advice and tips on how to address your businesses Data sprawl and management challenge. In this advisory I am aiming to provide a practical approach that you can use in your business to implementing guiding policies and procedures that can assist greatly with solving the Data Governance conundrum. This is to say that while most people accept they need to take control of their Data they also aren't sure how to go about this in a practical way. In all my years of experience in this technology sector working for many businesses across multiple industries I have found the key to success in this area is clear and useful communications as well as easy to follow procedures, processes, and policies. The other key ingredient to success is persistence in delivering the message that Data is our friend and it can be managed when practices align to the day to day workloads of leaders and staff across the entire enterprise.
Namely establishing a control group that meets regularly with all lines of business and discusses the handling of Data (or Information) used day to day. This group can be comprised of both non-technical and technical staff as it is only through collaboration can sustainable results be realised. Agreeing on a simple framework for Data Classification is the start, and then look to developing Data Management policies and processes that are easily understood and easily followed will ensure adoption of sensible and applicable practices. The good news is that there are many consulting firms out there that specialise in this area and for an investment proportional to your business size and type a quick engagement that involves some workshops, technical tooling and investigation you can have a report on the key types of Data and recommended controls around the management of that Data complimented by a cyber security posture statement is usually the result. Make sure you start small and get the basics in place to help moving forward. Data custodians and owners are essential so that they may input valuable anecdotal advice while starting out. They can then propagate the practices and policies to ensure Data management is taken to the rest of the business. Communication and education around the newly formed policies and procedures will help get the message out that knowing the sensitivity and criticality of the various types of Data will have a two FOLD effect. One your Data security will be better understood and the cost of controls around handling will save the business unnecessary spend of time, resource and technical controls. Only the most sensitive and critical Data will need such investment. And remember to put the sensitivity and criticality in risk terms to the business and they will be able to understand the context thus the needs for controls.
With your control group it is best to ensure you rotate workloads amongst staff to improve the education of all more broadly, this will give you an improved security awareness which will make technologies job of securing your business far easier. Formalising your Data Management policies, Data Classification will enable procedural conversations for those handling Data. Workshopping procedures around the handling of Data is next and that needs to undergo a risk based approach to identify and improve Data handling capabilities. A capability map is always good value so you can focus energy in the weaker areas. By supporting each other and communicating the value of understanding the Data handled day to day it will bring about a greater focus on Data itself. So then when providing better access to a greater range of Data to all staff versed in the controls it will become clear that whenever any business decisions are being considered the right Data can be accessed. A simple exercise or two in exactly how that could work, picking key use cases can be your best vehicle to gaining greater interest for all staff. Make your Data custodians known to all staff and the formalised procedures/policies accessible (and part of future inductions) to all and you have created a Data Management Governance structure that is both informative and practical.
The last thing you need to ensure is that the control group performs regular reviews of any formalised information so that it stays relevant but keep it simple and lightweight so not to become overly bureaucratic about the work involved. providing clear advice and the human touch can do wonders. A little bit of clever marketing and having the message that Data Management is everyone's responsibility will make sure you continue to uplift understanding and capability over time. I hope you find this useful and happy to answer any questions around Data Management challenges you may have. The field is vast and my advisories are just touching on some aspects. Good luck with your Data and stay secure as long as you understand the risks you will know what to do for controls around handling/managing your Data.
