Your organisational data strategy should contain elements of both defensive plays and attacking plays - it’s vital to understand the right ratio of defense vs attack to suit your organisational reality and risk appetite. In this series I’ll be walking through the process of landing a data strategy that delivers to organisational outcomes whilst meeting the risk appetite and customer expectations.

I’ll be covering:

  • Part 1: What is a Defensive Data Strategy?
  • Part 2: What is an Attacking Data Strategy?
  • Part 3: Defend vs Attack - How to Strike the Balance

Too many times I see companies get this wrong, and it hurts them on a big scale, so strap in and let’s walk through the elements needed to avoid those pitfalls.

Part 1: What is a Defensive Data Strategy?

How can we stay out of the headlines for all the wrong reasons?

The dreaded data breach - they impact reputations, falter brands, they create mistrust and do real and lasting damage to customers and those who are impacted. We have all seen the headlines, but most companies are still blissfully unaware as to how close they are to it being their name up in lights.

Use cases aren’t hard to find (this will give you a taste and yes, LinkedIn doesn’t escape…) and while hindsight might be 20/20 there are some commonalities between the data strategies at play during these breach scenarios - none of them had a strong enough focus on data defense.

To ensure that you don’t become the next statistic, or at least to hedge your bets and cover your risk appetite, I’ll walk through the key elements you should think through as your develop the defensive portion of your Data Strategy. The two key areas of focus when articulating your defensive data strategy are two sides of the same coin: Data Governance and Data Management.

Let’s look at each of them in more detail.

Data Governance

Data Governance provides the guardrails, policies and processes to regulate and understand data as it transits through your organisation. Most governance processes should be technology agnostic and enterprise wide and aims to answer fundamental questions for all data within the organisation (who owns it, who is accountable for its use, which use cases have been given consent, what are the regional laws etc).

Your Governance strategy must cover your Data Ownership first and foremost - unowned data is ungoverned data. Data is everyone’s business, no one gets a free pass. Ownership should be clearly articulated with any delegations defined and documented - there needs to be a single throat to choke and a single point for ownership related decisioning.

Data Quality will come a close second in any defensive governance strategy. Whilst quality has often been considered part of the attacking strategy (good insights need a base of good quality data) there is a stronger defensive play here. Low quality data is a symptom of poor process and a robust data quality process will not simply mask the issues, it will aim to address them at their origin.

Once you’ve defined your Ownership and Quality policies, processes and guardrails it is time to consider the trinity of Consent, Privacy and Regulation. These will often be industry specific and always be region specific - if your organisation operates across geographic boundaries you’ll have to take all local regulations into consideration. Whilst GDPR may be the most well known of the data regulations (covering the EU), there are many more including:

  • Australia’s Privacy Act with the Notifiable Data Breaches amendment
  • Canada’s Digital Charter Implementation Act (Bill C-27)
  • China’s Personal Information Protection Law (PIPL)
  • India’s Personal Data Protection Bill (PDPB)
  • South Africa’s Protection of Personal Information Act (PoPIA)

And the list goes on… These laws and regulations are not to be taken lightly and can take considerable technical and policy effort to implement successfully. Given the global nature of most businesses nowadays it’s commonplace to implement policies that take into consideration multiple regulations and laws to ease the complexity of implementation.

Data Management

Data Management is sometimes an umbrella term that can include Data Governance as a subset - for the purpose of this article Data Management is defined as all other activities required to defend your organisational data that isn’t already covered by your Data Governance processes and policies. The remaining pieces of the defensive puzzle tend to be more technical in nature focusing on Data Security, Data Architecture and Metadata Management (including Data Catalogs and Marketplaces).

A robust Data Security ecosystem is a necessity in today’s world where the value of data is equally known by the people who want to keep it safe, and those who wish to use it for nefarious purposes. When considering your data security tooling and platforms you must account for data at rest and data in transit, what is on premise vs cloud based, and perhaps most often confused or overlooked you must ensure you have both a masking/obfuscation strategy (to prevent unauthorised viewing of data) and an encryption strategy (to prevent unauthorised access of data).

Your Data Architecture needs to be secure by design. The barrier to entry for platform and ecosystem design is getting lower as cloud providers enable services to be spun up at the click of a button and whilst their individual services will be secure by design, any designs you customise by integrating multiple services together will potentially open up vectors of insecurity. Don’t get fixated on the latest architectural buzzwords, the world of data is changing at such a rapid pace that the pattern du jour will likely change before you’ve finished implementation anyway - there’s a high likelihood you don’t need to be cutting edge, you need to be tried and tested, so stick to patterns that are industry recognised and architectural blueprints that are cloud-vendor recommended.

Finally, your Metadata Management strategy is going to save you a lot of time if you get it right. Like the ingredients and labels on food packaging, metadata is key for your consumers understanding of the offering and is equally important when it comes to automation of build, scheduling/orchestration and test activities. The more time you invest upfront into nailing the tooling and processes for metadata collection, correction and maintenance the better, you will save yourself in the long run as too many times I’ve seen organisations have to invest unpalatable amounts of time, money and effort retrospectively fixing (or, worse still, building from the ground up) their metadata capabilities after the fact.

Industries that preference Defense over Attack

There are some industries that employ all-out defensive data strategies, and they tend to be where innovation is methodical (some may say glacial) as a matter of necessity and control can be literally a matter of life and death. Hospitals and surgical practices are prime examples of organisations and entities who will preference a strong defensive data strategy - clinical data, research data, patient health data, where poor data quality could prevent the saving of a life and a data security breach would be monumentally damaging for patients and all involved.

These industries are the exception, not the rule. The vast majority of organisations will sit further on the spectrum towards employing some level of an Attacking Data Strategy to spur on innovation, to unlock additional value and insights from data and to encourage a level of data democratisation.

In Part 2 of this series we’ll discover the elements of an Attacking Data Strategy and investigate how those pieces of the puzzle fit together to unlock incredible value from data and insights and, in some instance, change the world.