CDO & CISO: A Match Made in Heaven or Hell?
Written by Corinium on Jan 22, 2016
You may have heard that there is a new member of the C-Suite, a champion of modern day business and true visionary who is exploiting a previously undervalued commodity to accelerate a cultural transformation – the Chief Data Officer (CDO).
The CDO has aided in driving the enterprise-wide case for acknowledging data as a strategic and valuable corporate asset. However, as with most valuable assets, they need to be protected. Which draws us to another C-suite executive – the Chief Information Security Officer (CISO).
We have all seen the various articles and reports documenting the “Rise of the Chief Data Officer” – some have referred to the position as a “Corporate Rockstar” whilst others have heralded the CDO as the “new hero of big data and analytics”. As organisations race to appoint this executive position, the true definition of the CDO has remained rather ambiguous.
Gartner defines the realm of CDOs responsibilities, stating that they must “combine accountability and responsibility for information protection and privacy”, whereas IBM have stated that “data protection is a special aspect of data upkeep. It is of paramount importance to any organization, given the high risks associated with failure to protect data as an asset. If the one who has the data is the king, then the king needs to protect his kingdom.” If the notion of “King” is used in reference to a sole, absolute wielder of power, then where does this leave the CISO? Does the inclusion of the CDO threaten the security of the CISO? Or has the CISO found its greatest ally?
"If the one who has the data is the king, then the king needs to protect his kingdom."
The case for collaboration
A data breach can have dire consequences and make for a public relations disaster, which can ultimately affect customer loyalty and profits. We all know of the high-profile cyber-attacks that plagued our news channels with brands, such as: TalkTalk, Ashley Madison, Carphone Warehouse and Anthem. In a recent conversation, a CDO from the Healthcare sector enforced the importance of the business impact of a highly-publicised data breach, stating that: “Both data protection and privacy are related. Let’s take for instance the Retail Sector, if your existing and potential customers know you have security issues, they will assume that you could have privacy problems as well – which can affect the loyalty of your customer base. This can damage your reputation and have an adverse affect on the CDO’s ability to draw on the raw materials which are the data assets they need.”
With the techniques utilised by hackers growing more and more sophisticated, their advancement must be met with a strong foundation of collaboration between the CDO and CISO – ensuring adequate protection and security of data. Although, CDOs previously were not as concerned with security, the recent breaches are causing some CDOs to acknowledge the harsh reality that their hardwork could be undone by a preventable breach.
There is tremendous scope and opportunity which lies in the partnership between the CDO and the CISO. U.S. public sector CDO told us that ‘no data is created equal’ and thus the CDO can aid the CISO in categorising the levels of sensitivity and importance assigned to data sets and, therefore, stringent security policies can be established to better protect and govern access to this data. Effective data classification can further Data Governance, to ensure the right individuals have the access to the right data at the right time. This can allow the CISO to better monitor irregularities in data access.
"CDOs lack the security and protection expertise of a CISO, whilst CISOs don’t understand the value of data to the organisation in the same way as a CDO."
Does size matter?
Some CDOs believe the size of a company also has an effect on CDO and CISO relations or may eradicate the need for co-operation altogether, stating that, “with a large company it makes sense to divide the responsibilities pertaining to Data Governance, security and protection between the CIO, CDO and CISO. Whereas in a small company, they may not have this liberty and thus have to combine these positions.” Is this a notion that should perhaps be adopted by larger organisations?
A CDO from a pharmaceutical company highlighted to us asymmetrical perspectives of the CDO and CISO in relation to data, stating, “CDOs lack the security and protection expertise of a CISO, whilst CISOs don’t understand the value of data to the organisation in the same way as a CDO.”
Perhaps, there is power in the dynamic skills that both parties can bring to the table. It is clear that the distinction in attributes can form the crux of a partnership which can bolster effective and efficient access, classification, security and governance of data. We can find solace in the fact that both parties don’t know it all and thus will need to work cohesively in order to solve a companies’ most critical data problems. Certainly I believe that this a potential match made in heaven, however, without clearly defined responsibilities it can indeed be a match made in hell.