IT Leaders: Game-Changers for Governance, Security

By David F. Katz

A key frustration of CIOs and IT managers is the inability to articulate risk to the organization’s senior managers and corporate decision-makers who may not have the technical background to fully appreciate the scope and breadth of weaknesses in their own data environments. Often, company decision-makers rely on IT leaders to set budgets, recommend operational solutions and generally “keep the lights on” without fully understanding the complexities surrounding any given project.

When a project is critical to the business, however, these IT leaders face tremendous pressure to deliver results to management.

Even more challenging is when a crisis occurs, and questions surface about what happened and how it occurred. In these situations, IT leaders often find themselves explaining complex problems to an unsympathetic audience.

The ability to uncover and correct weaknesses in a data environment may be less about what resources are available to the IT department and more about the willingness of the business to truly embrace good data governance. The fact is, poor data governance is generally not the result of some single breakdown attributable only to the IT department. Rather, it is often a failure of the business to support specific risk-mitigation measures and initiatives—both inside and outside of IT—that create an environment in which positive data governance can flourish.

Simply having a program on paper is not sufficient. There must be a strong commitment across the organization to support and enforce the program, and to educate employees on the importance of managing the company’s data.

In 2014, IT leaders must establish themselves as leaders in their organizations and work diligently to align all employees to achieve effective data governance.

Company management and IT leadership should consider the following elements to create an environment that’s favorable for good data governance.

Establish Positive Communication Across the Enterprise

Data governance is the responsibility of everyone in the organization. This phrase should be repeated at every opportunity. For many organizations, the prevailing view is that data ownership and data governance are solely the responsibility of the IT department, and problems in these areas are for those professionals to address.

IT leaders must change this perception by establishing positive communication across the organization, and gaining the right support and cooperation to achieve ownership of data governance. The role of IT as data stewards is becoming increasingly important, but also increasingly complex.

This creates challenges, but it also creates opportunities to educate others on the importance of understanding where the organization’s data resides and how it can be appropriately managed. IT leaders must make it their mission to explain this to others in the organization.

Establishing a data governance committee (DGC) is the first step to improving and increasing communication. Ultimately, it holds others accountable for implementing best practices, policies and procedures to address the risks surrounding the organization’s data.

Top-Down Support: Forming a DGC

The primary framework of data governance planning includes the people, processes, technology, and the implementation of appropriate policies and procedures necessary to ensure the preservation, availability, security, confidentiality and usability of the company’s data.

Furthermore, a DGC encourages strategic thinking and the creation of opportunities surrounding the appropriate use of data in the organization. This is a responsibility shared by every department within a company, and management needs to communicate this frequently to all employees.

The first step in creating a DGC is establishing roles and objectives for it. These should be clearly articulated in the form of a governance charter, and they should be well-understood by the key members of the DGC.

The committee should focus on creating data standards for privacy and information security, records management, employee data, trade secret and intellectual property protection, e-discovery and litigation readiness, and vendor management. Such policies must include a comprehensive set of rules, policies and procedures governing the proper use and disposal of the company’s data. The DGC should decide the appropriate level of risk allocation, ensuring proper uses of insurance and contractual risk transfer in connection with data risks.

Finally, a DGC can be a powerful tool for setting the tone in a company. With top-down support, the group is responsible for ensuring that employees are properly educated and trained about institutionally appropriate practices for the collection, use and disposal of data, and that an appropriate communication channel exists for expressing concerns.