Value-based data risk management

A balanced offensive

Why balance? Because exponential data growth provides an upside and a downside, which represent both opportunities and risks. Combing through this data enables organizations to develop more targeted products and services, enhance feature sets, offer rich customer service, and more. However, the proliferation of data and the increasing complexity of how it’s used exposes organizations to a tremendous amount of risk.

Increasing complexity of data

• Hybrid cloud adoption grew from 19% to 57% in 2016 and 2017.¹
• The number of computers, mobile phones, sensors, and controllers for IoT devices is estimated to reach 1 trillion by 2020^.2
• 33% of companies commercialize or share their data for revenue.³
• Top-performing companies are 3x as likely to share their data.⁴
• By 2020, 50% of information governance initiatives will be enacted with policies that are based on metadata alone.⁵

As a result, many organizations are elevating conversations about data to the boardroom. As leaders develop data strategies for a digital world, data must be analyzed equally as a liability and an asset.

A broader approach to data risk management

Data isn’t solely the domain of cyber professionals. It’s created throughout all portions of an organization and, therefore, a broader approach to data risk management is needed. Data risk management is the responsibility of groups across the business, including marketing, human resources, operations, information technology, legal, and compliance. In fact, many companies are designating a C-suite leader to be responsible for managing data risk. This is an acknowledgement that all data is enterprise data, and that it’s not owned or siloed by any one area of the business.

Because all data isn’t of equal value to the business, a deeper approach is required. Organizations must determine how much protection to place around different categories of data. Building controls around all of an organization’s data creates a tremendous financial burden, potentially dooming the strategy to fail.

Most organizations have traditionally taken a “crown jewels” approach to data risk management. But a crown jewels rationale—a de facto standard that includes customer data, trade secrets, intellectual property, and so on—doesn’t capture how that data affects the business and drives operational and financial performance. Organizations are evolving as they begin to understand the true value of their data.

A crown jewels mind-set is also rooted in a focus on compliance, when what’s needed is an emphasis on value. For example, an organization may be diligent about how it stores and protects customers’ social security numbers in order to comply with regulatory requirements. But if this data doesn’t provide value to the organization, why store it at all?

Arming the troops: A talent reset

In addition to data risk challenges, organizations are faced with a widening skills gap. Finding the right talent and then arming those professionals with the right tools to safeguard valued data elements is no easy task.

Some specific challenges include:

• High costs to recruit, hire, and retain professionals
• Difficulty finding professionals who possess both technology awareness and business acumen
• Lack of staff to implement data risk governance and controls

In the data risk management war, organizations must address exponential data growth as well as internal and external threats to that data. But a challenge is that many organizations are deploying already depleted troops. There are too many tools and not enough people to configure, implement, and operate those tools properly. What’s more, this situation will likely only intensify over time. As organizations increasingly deploy machines in their business models, they will need professionals with advanced skills to govern those machines.

Organizations also sometimes find themselves sending in ill-equipped troops, forcing cybersecurity professionals to deal with business issues they may not be familiar or comfortable with. This can be likened to asking someone who has been trained to navigate an aircraft carrier to suddenly operate a rocket launcher. For example, when cybersecurity professionals are asked to discuss the data that’s involved in a marketing campaign, they may be at a loss.

Not all cybersecurity resources have had the opportunity to expand their skill sets across the traditional foundations of business, nor do they fully understand how data migrates throughout the organization. Therefore, the next frontier of data risk management calls for a hybrid talent model—one-part business analyst, one-part cyber risk professional—that can bridge both worlds, from cloud computing and IoT to understanding how data risk decisions impact revenue recognition and EBITDA.

In short, a paradigm shift is required. Because the challenges and opportunities around data risk management have become broader, the skill sets needed to address it have become broader as well.

This talent gap is driving many enterprises to managed services. A managed services model can lead to scalable and accelerated business outcomes. It can also allow organizations to focus on what they do best: creating and maintaining value for their core business operations.

Plan of attack: Value-based data risk management

In an increasingly data-centric world, organizations must balance risk with innovation, profits, and talent. Since they can’t protect all their data, organizations must focus their efforts on the data that’s most valuable to their business.

Value-based data risk management

To that end, organizations should:

• Understand that a crown jewels approach on its own is insufficient
• Determine the real value of their data to the enterprise
• Map that data to the corresponding value in the business
• Make informed decisions about third parties, managed services, tools and technologies, operational plans, and more

Organizations must also prioritize data risk management and put it on an equal footing with traditional information and network security, and they must dedicate as much of their budgets to true data risk management as they do to a traditional cybersecurity budget. The emphasis must be on business value and not on a technology arms race.

A winning campaign for your organization

What are the benefits of value-based data risk management? The alignment of data to the business, the use of data elements to enhance products and services and drive additional revenue, mitigated risk exposure, opportunities to increase profits via operational efficiencies, and more. Organizations are able to understand the value of data, its impact to the business, and whether it is an asset, a liability, or a hybrid.

Also, much like an International Organization for Standardization (ISO) system, value-based data risk management can become a program that’s part of your organization’s heartbeat. Just as an ISO program instructs organizations on how to live and breathe quality, value-based data risk management gives organizations the ability to adopt a more robust data risk management culture.

The need for a “living” program is critical because data risk management is an ongoing challenge. Implementing a value-based program can enable organizations to make decisions—from the acquisition and divestiture of data to third-party data management and emerging technologies. With the required expertise, those decisions can lead to scalable and accelerated business outcomes.

Take command of your data life cycle

It’s critical for organizations to keep value-based data risk management front and center when considering the data life cycle, because this approach can help companies manage data risk more effectively.

Do you really know the actual versus perceived behavior of your data along the data life cycle? Here are questions your organization should consider to effectively create, collect, store, process, analyze, use, share, transfer, destroy, or archive its business-critical data in a value-based manner.

The march to value-based data risk management

As your organization adapts to the increasingly sophisticated data risk management battlefield—from collecting and protecting your data to archiving and destroying it—organizations will be better positioned to leverage the benefits of their data while managing the associated risks. Organizations will also be better prepared to seize the competitive advantage that value-based data risk management can provide.

Does your battle plan include a value-based data risk management approach?

How can Deloitte help

Deloitte Risk and Financial Advisory can help you build a mature risk program around your organization’s most valuable data. With access to 21,000 risk management and security professionals in the global Deloitte Touche Tohmatsu Limited network of member firms—and more than 3,000 cyber risk practitioners in the US alone—we can assist you in truly discerning the value of your data and managing your data risk throughout the data life cycle.

Endnotes

¹Louis Columbus, “2017 State Of Cloud Adoption And Security,” Forbes, April 23, 2017
²Barika Pace and Ruggero Contu, “Solving the IoT Security Talent Gap: Where You Look Matters,” Gartner, March 8, 2018
³Jennifer Belissent, Ph.D., et al. "Data Commercialization: A CIO's Guide To Taking Data To Market," Forrester, June 7, 2017. [Purchase required]
⁴Ibid