Assets & Accountability
So imagine a corporate earnings report where the CFO says, “We have a ton of money. We’re not sure what kind, what’s protecting it, where it is or even how much of it we have but trust me, it’s a lot.” His exit interview would take less time than the corporate Tweet of his next career move.
In a world where “data is the new oil” and is often characterized as a fungible resource, why are so many companies unable to answer even the most basic questions regarding their inventory of this valuable corporate asset? What kind? Where is it? What’s protecting it? How much do you have? Many companies appear ready to boast of the troves of unique and sensitive data that they process and possess but unable to give a cogent accounting of it.
If it truly is an asset (and it is) then there needs to be accountability regarding the character, quantity, security and disposition of the property being managed. Perhaps that’s the difference between a CFO and a CIO. Perhaps corporations have borrowed the buzzword of “asset” to be applied more euphemistically than categorically regarding data.
To be sure, in recent years, fears of being the next hacking headliner have caused companies to direct increased funding toward the CIO’s camp in the (sometimes misguided) notion that this would improve security. Unfortunately, years of increased spending in an environment where cyber attacks continue unabated have left many companies wondering what they got from their investment. Whether or not you believe it’s a good thing, the prospect of data security is not a problem with a price tag. You can’t buy your way to good security from a product vendor. It’s more like piano lessons. It requires practice.
So the answer is to apply the fundamentals of Asset Management. Just as an Asset Inventory allows an organization to know how many and what types of assets they have, so too, a Data Inventory can be used to identify the types and quantities of sensitive data received. A Data Classification can then be used to help determine which data are more valuable (i.e. sensitive) and thereby recommend which safeguards can be used to appropriately protect that data without incurring excessive costs. Next, a Data Mapping can help to identify how data moves through the “plumbing” of a company and identify any potential problems or possible exposures (i.e. leaks). Once everything is in place, audit is available as a means of checking the efficacy and accuracy of the system. This isn’t rocket science. We know what to do and we know how to do it. Being accountable for data assets is no more mysterious than being accountable for financial assets. Phenomenal investments are trumped by fundamental practices.