Coordinate Data Security Governance with Business Requirements

June 14, 2016

Contributor: Kasey Panetta

To ensure adequate security and data governance, involve the business in planning data rules and requirements.

Within the world of data security exists a singular truth: Not all data is created equal. However, companies have a habit of treating all data in the same way. This means that the most sensitive data is being protected at the same level as the least sensitive data.

“You’re never truly going to have perfect security,” says Brian Reed, research director, at Gartner at the Gartner Security & Risk Management Summit. Companies need to balance security options with the needs of the business.

“ The challenge for IT is when its security practices don’t consult the rest of the business.”

The increase in cross-platform usage means data is more spread out in the enterprise. The challenge for IT is when its security practices don’t consult the rest of the business and acknowledge who needs access to specific data and why.

In fact, 11% of business units have no involvement in setting information security policy.

Read more: Demystifying Security Analytics

“As counterintuitive as it may sound, data security needs to become a business enabler, support business agility, and support new digital business processes that are not sustainable without it. And for that, data security needs to be business goal driven and led,” says Reed.

IT should establish the business requirements for data and use that prioritization to address data security governance. This will create a system that works for the entire enterprise.

Consult the drivers

Mr. Reed shared an example of when, in 1967, Sweden changed from driving on the left to driving on the right side of the road. Road signs were confusing, no one directed the process, and the result was a disastrous day of driving because the system lacked governance. The government had established rules based on what they needed, but hadn’t consulted the drivers.

Similarly, when IT departments create data rules without consulting business stakeholders, the result can be as confusing as a country full of drivers playing by their own rules. For example, data security governance fails when data is tagged or classified inconsistently, automated processes are inconsistent, and users misinterpret the differences between confidential and highly confidential data.

Secure data in a business-oriented manner

As data storage evolves, data security must look into how data moves throughout the enterprise to prevent loss and leakage. The goal should be to “create an ecosystem of data” without leaking sensitive information. The goal is to secure the point of creation, as opposed to the more traditional approach of securing how the information is being sent.

Essentially, companies should focus less on creating secure pipelines and more on using smart information that knows where it is supposed to be, advised Mr. Reed. This will allow the right person to access the right data to enable desired business outcomes.  

Experience Information Technology conferences

Join your peers for the unveiling of the latest insights at Gartner conferences.