agsandrew - Fotolia

CDOs say data accessibility plans should be theirs to lead

Balancing data access and security in an organization isn't the most glamorous task, but several chief data officers at an MIT conference said it's something CDOs need to take charge of.

The question of what data to liberate for use in self-service analytics applications and what data to lock down continues to vex many businesses. Most organizations today would like to consider themselves data-driven, and at the heart of that posture is often a self-service ecosystem that gives large numbers of users access to data and the ability to analyze it. At the same time, large-scale data breaches continue to dominate headlines, highlighting the risks of open access.

For Nicholas Marko, chief data officer at Geisinger Health System in Danville, Pa., it's up to CDOs like him to figure out how to strike the balance between data accessibility and security. Speaking at the 2015 MIT Chief Data Officer & Information Quality Symposium in Cambridge, Mass., last week, Marko said responsibility for an organization's data strategy isn't really a good fit anywhere else. It requires more strategic thinking than IT departments typically are used to and is less focused on the traditional domain of CIOs, the selection of new hardware and software, he added. But he sees it as a good match for the chief data officer (CDO), whose job descriptions are still being written in many organizations, but generally include responsibilities related to the strategic use of data.

Finding the proper balance between accessibility and security is crucial to the success of business intelligence efforts. The easiest way to protect data is to lock it away behind a firewall, but the more layers of security you add, the more difficult it is for users to access information. That can hamper data sharing and self-service BI and analytics projects.

Working in healthcare, Marko said he's seen the pendulum swing too far in the direction of locking down data. This is partly due to particularities of the industry, which is governed by the federal Health Insurance Portability and Accountability Act, a law that specifies strict patient privacy requirements. In many cases, "the problem isn't securing data," he said. "Sometimes the problem is un-securing data."

Breaches breed more caution on risks

Not every industry faces the same kind of regulatory stick when it comes to protecting data. But with the large number of high-profile data breaches in the past few years, more and more businesses in less regulated industries are also seeking to minimize their risks. Even without the threat of regulatory punishment, there's still the risk of reputational harm -- as well as possible financial losses and legal liabilities -- that can come from a breach.

All data is not created equal.
Mark RamseyCDO at GlaxoSmithKline

That's not to say balancing data accessibility and security is a glamorous task. Figuring out which data is sensitive and needs tight protections, and identifying employee roles that should be granted access to data can be political and time-consuming. Business departments often control their own systems and don't want anyone telling them they're going to have limited access to the data in those systems.

Derek Strauss, CDO at online brokerage TD Ameritrade Inc., said during a session at the conference that when he first took on his current role four years ago, he didn't want to go anywhere near the issue of data accessibility because it was so political. But, he added that he came to see it as a central function of his role. No one in the organization is better positioned to bring together heads of different departments and help them come to a consensus on accessibility versus security, Strauss said. "The CDO has to step into that role and orchestrate the solutions."

Some separation of data is natural

The biggest thing a CDO can do to support a healthy balance between access and security is to partition data logically through classifications and privilege settings, conference speakers advised. Marko said that identifying and classifying data according to metadata tags can be helpful. Mark Ramsey, CDO at U.K.-based pharmaceutical maker GlaxoSmithKline PLC, said setting access privileges based on report type is also a good way to maintain access control through partitioning.

For example, Ramsey said that reports about a company's financial statements are highly sensitive and shouldn't be shared widely throughout the organization. On the other hand, location-based marketing data is usually rather general and, therefore, not all that sensitive -- as a result, there's less at stake when it is accessed by users. "All data is not created equal," he said.

Not everyone agrees that balancing data accessibility against security should be within the purview of the CDO. Eugene Kolker, CDO at Seattle Children's Hospital, said during the same panel discussion in which Marko took part that his organization and many others already have a chief information security officer. In his view, the CDO should be more focused on making sure employees understand the data they have access to and are knowledgeable about the tools they have at their disposal. It would effectively be doubling up on that person's efforts for CDOs to engage so heavily in the realm of data security, Kolker noted. "The CDO can't do everything," he said.

Ed Burns is site editor of SearchBusinessAnalytics. Email him at [email protected] and follow him on Twitter: @EdBurnsTT.

Next Steps

How much data accessibility is safe in a BYOD environment?

Data architecture is key to getting self-service analytics right

Don't forget about these self-service analytics pitfalls

Dig Deeper on Business intelligence best practices