News Stay informed about the latest enterprise technology news and product updates.

CDOs say data accessibility plans should be theirs to lead

Balancing data access and security in an organization isn't the most glamorous task, but several chief data officers at an MIT conference said it's something CDOs need to take charge of.

The question of what data to liberate for use in self-service analytics applications and what data to lock down...

continues to vex many businesses. Most organizations today would like to consider themselves data-driven, and at the heart of that posture is often a self-service ecosystem that gives large numbers of users access to data and the ability to analyze it. At the same time, large-scale data breaches continue to dominate headlines, highlighting the risks of open access.

For Nicholas Marko, chief data officer at Geisinger Health System in Danville, Pa., it's up to CDOs like him to figure out how to strike the balance between data accessibility and security. Speaking at the 2015 MIT Chief Data Officer & Information Quality Symposium in Cambridge, Mass., last week, Marko said responsibility for an organization's data strategy isn't really a good fit anywhere else. It requires more strategic thinking than IT departments typically are used to and is less focused on the traditional domain of CIOs, the selection of new hardware and software, he added. But he sees it as a good match for the chief data officer (CDO), whose job descriptions are still being written in many organizations, but generally include responsibilities related to the strategic use of data.

Finding the proper balance between accessibility and security is crucial to the success of business intelligence efforts. The easiest way to protect data is to lock it away behind a firewall, but the more layers of security you add, the more difficult it is for users to access information. That can hamper data sharing and self-service BI and analytics projects.

Working in healthcare, Marko said he's seen the pendulum swing too far in the direction of locking down data. This is partly due to particularities of the industry, which is governed by the federal Health Insurance Portability and Accountability Act, a law that specifies strict patient privacy requirements. In many cases, "the problem isn't securing data," he said. "Sometimes the problem is un-securing data."

Breaches breed more caution on risks

Not every industry faces the same kind of regulatory stick when it comes to protecting data. But with the large number of high-profile data breaches in the past few years, more and more businesses in less regulated industries are also seeking to minimize their risks. Even without the threat of regulatory punishment, there's still the risk of reputational harm -- as well as possible financial losses and legal liabilities -- that can come from a breach.

All data is not created equal.
Mark RamseyCDO at GlaxoSmithKline

That's not to say balancing data accessibility and security is a glamorous task. Figuring out which data is sensitive and needs tight protections, and identifying employee roles that should be granted access to data can be political and time-consuming. Business departments often control their own systems and don't want anyone telling them they're going to have limited access to the data in those systems.

Derek Strauss, CDO at online brokerage TD Ameritrade Inc., said during a session at the conference that when he first took on his current role four years ago, he didn't want to go anywhere near the issue of data accessibility because it was so political. But, he added that he came to see it as a central function of his role. No one in the organization is better positioned to bring together heads of different departments and help them come to a consensus on accessibility versus security, Strauss said. "The CDO has to step into that role and orchestrate the solutions."

Some separation of data is natural

The biggest thing a CDO can do to support a healthy balance between access and security is to partition data logically through classifications and privilege settings, conference speakers advised. Marko said that identifying and classifying data according to metadata tags can be helpful. Mark Ramsey, CDO at U.K.-based pharmaceutical maker GlaxoSmithKline PLC, said setting access privileges based on report type is also a good way to maintain access control through partitioning.

For example, Ramsey said that reports about a company's financial statements are highly sensitive and shouldn't be shared widely throughout the organization. On the other hand, location-based marketing data is usually rather general and, therefore, not all that sensitive -- as a result, there's less at stake when it is accessed by users. "All data is not created equal," he said.

Not everyone agrees that balancing data accessibility against security should be within the purview of the CDO. Eugene Kolker, CDO at Seattle Children's Hospital, said during the same panel discussion in which Marko took part that his organization and many others already have a chief information security officer. In his view, the CDO should be more focused on making sure employees understand the data they have access to and are knowledgeable about the tools they have at their disposal. It would effectively be doubling up on that person's efforts for CDOs to engage so heavily in the realm of data security, Kolker noted. "The CDO can't do everything," he said.

Ed Burns is site editor of SearchBusinessAnalytics. Email him at eburns@techtarget.com and follow him on Twitter: @EdBurnsTT.

Next Steps

How much data accessibility is safe in a BYOD environment?

Data architecture is key to getting self-service analytics right

Don't forget about these self-service analytics pitfalls

Dig Deeper on Business intelligence best practices

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What are your tips for improving data accessibility without sacrificing security?
Cancel
the article makes a good point in that the larger issues of data security are not technical but political, as in "who gets to see this data and why". Technically, making a rule for VPN access or getting to the data in a closed sandbox should be doable. The timeliness of that process and who gets access when is another story.
Cancel
I have found that shaping access questions in the form of "Why should [a person or role] NOT have access?" begins to quickly differentiate business or regulatory reasons for denying access from personal and 'turf isolation' issues.  HIPAA compliance and reducing risk of 'unfair stock trading' occurrences are transparently different in impact and motivation than are reasons like "I don't want other Directors to know what I'm doing."  

In reality one of the strengths of more open access to information within the enterprise is the opportunity it presents for departments to learn from each other. 

If the CDO is the party most able to enable such recognition of value from the data (as well as set expectations and requirements for training prior to access) go for it! 
Cancel
I don't think it should be the CDO _OR_ the CIO.... it should be the CDO _AND_ the CIO, with a senior DBA. The CDO is going to understand the underlying data and what it is used for, the CIO is going to understand what data cannot be exposed or shared for security reasons, and the DBA is going to understand the architecture of the databases and the schemas defined in the BI setup. They have to work together and collaborate and most importantly, document it using a data model.
That's my 2 cents.
Cancel

-ADS BY GOOGLE

SearchDataManagement

SearchAWS

SearchContentManagement

SearchCRM

SearchOracle

SearchSAP

SearchSQLServer

SearchSalesforce

Close