IT Leaders: Game-Changers for Governance, Security

By Guest Author  |  Posted 2014-02-05
governance and security

By David F. Katz

A key frustration of CIOs and IT managers is the inability to articulate risk to the organization's senior managers and corporate decision-makers who may not have the technical background to fully appreciate the scope and breadth of weaknesses in their own data environments. Often, company decision-makers rely on IT leaders to set budgets, recommend operational solutions and generally “keep the lights on” without fully understanding the complexities surrounding any given project.

When a project is critical to the business, however, these IT leaders face tremendous pressure to deliver results to management.

Even more challenging is when a crisis occurs, and questions surface about what happened and how it occurred. In these situations, IT leaders often find themselves explaining complex problems to an unsympathetic audience.

The ability to uncover and correct weaknesses in a data environment may be less about what resources are available to the IT department and more about the willingness of the business to truly embrace good data governance. The fact is, poor data governance is generally not the result of some single breakdown attributable only to the IT department. Rather, it is often a failure of the business to support specific risk-mitigation measures and initiatives—both inside and outside of IT—that create an environment in which positive data governance can flourish.

Simply having a program on paper is not sufficient. There must be a strong commitment across the organization to support and enforce the program, and to educate employees on the importance of managing the company’s data.

In 2014, IT leaders must establish themselves as leaders in their organizations and work diligently to align all employees to achieve effective data governance.

Company management and IT leadership should consider the following elements to create an environment that's favorable for good data governance.

Establish Positive Communication Across the Enterprise

Data governance is the responsibility of everyone in the organization. This phrase should be repeated at every opportunity. For many organizations, the prevailing view is that data ownership and data governance are solely the responsibility of the IT department, and problems in these areas are for those professionals to address.

IT leaders must change this perception by establishing positive communication across the organization, and gaining the right support and cooperation to achieve ownership of data governance. The role of IT as data stewards is becoming increasingly important, but also increasingly complex.

This creates challenges, but it also creates opportunities to educate others on the importance of understanding where the organization's data resides and how it can be appropriately managed. IT leaders must make it their mission to explain this to others in the organization.

Establishing a data governance committee (DGC) is the first step to improving and increasing communication. Ultimately, it holds others accountable for implementing best practices, policies and procedures to address the risks surrounding the organization's data.

Top-Down Support: Forming a DGC

The primary framework of data governance planning includes the people, processes, technology, and the implementation of appropriate policies and procedures necessary to ensure the preservation, availability, security, confidentiality and usability of the company's data.

Furthermore, a DGC encourages strategic thinking and the creation of opportunities surrounding the appropriate use of data in the organization. This is a responsibility shared by every department within a company, and management needs to communicate this frequently to all employees.

The first step in creating a DGC is establishing roles and objectives for it. These should be clearly articulated in the form of a governance charter, and they should be well-understood by the key members of the DGC.

The committee should focus on creating data standards for privacy and information security, records management, employee data, trade secret and intellectual property protection, e-discovery and litigation readiness, and vendor management. Such policies must include a comprehensive set of rules, policies and procedures governing the proper use and disposal of the company's data. The DGC should decide the appropriate level of risk allocation, ensuring proper uses of insurance and contractual risk transfer in connection with data risks.

Finally, a DGC can be a powerful tool for setting the tone in a company. With top-down support, the group is responsible for ensuring that employees are properly educated and trained about institutionally appropriate practices for the collection, use and disposal of data, and that an appropriate communication channel exists for expressing concerns.

Specifically, the roles and responsibilities of the DGC include:

· Establishing direct reporting to the appropriate, most-senior governance level of the company, since there should be accountability for data governance and oversight at the organization’s highest levels.

· Evaluating and responding to internal proposals about the use of data and information in connection with data mining, behavioral targeting and data analysis.

· Monitoring implementation and compliance, and when appropriate, proposing revisions to all data governance policies adopted by the company.

· Providing oversight to senior management, the CTO and the employees in their efforts to reinforce good business practices and maintain legal requirements applicable to the company.

· Staying informed on a regular and timely basis about compliance activities, training activities, communications programs, compliance audit reports, and summaries of any other reports of alleged violations of the company's data governance policies.

· Conducting annual evaluations of the company's data governance practices.

· Consulting with necessary advisors to ensure that the company conducts its business activities in compliance with the law.

Training and Education

Training and education are key components of any program. IT leaders should be out front and visible, and they should set the tone for training in data governance areas. Training and education programs should effectively communicate to corporate employees the risks that can arise from poor information security and poor data management practices.

Any training program also should include specific recommendations about the manner in which data is to be managed, retained or destroyed. In addition, it should explain the specific policies that apply to employees, and why these policies must be enforced by managers and other corporate leaders.

Establishing a Relationship with General Counsel

A strong relationship with the organization’s general counsel can be extremely effective in helping IT leaders articulate risks to the business.

IT leaders should further develop this relationship and partner with the legal department to develop sound policies, communicate the importance of creating good data management practices among employees, and explain the serious consequences of underfunding this important—and often legal—obligation of the company.

The stakes for data governance continue to be high for 2014. Very large advances can be made in this area, given the high degree of scrutiny companies face regarding privacy and information security.

IT leaders should not waste any opportunities to step up as leaders in their organizations by establishing accountability; training and educating all employees; and making adjustments where needed—whether that means initiating changes to an existing program or establishing a new one.

Failure to address these issues now will have long-term consequences for an organization—none of which would be pleasant.

David Katz is a partner with Nelson Mullins Riley & Scarborough LLP in Atlanta. His practice focuses on regulatory compliance, consumer privacy and data security compliance, information governance, ethics, corporate governance and enterprise risk management. He can be reached at