The emergence of business models driven by data along with the evolution of modern analytics and cloud capabilities have increased the interest in data management multifold. As a result, enterprises are breaking down data siloes, transforming their data architectures, and democratizing access to data tools to accelerate decision-making.

But the journey to the data-driven enterprise remains challenging, riddled by roadblocks, from budgeting issues to buy-in difficulties. And sound data governance practices can’t be given short shrift in the rush to unlock hidden insights from data.

With all that in addition to privacy and compliance laws continually evolving across the globe, the chief data officer role as become a highly challenging — and enterprise-critical — balancing act. To learn more about how data leaders are embracing the challenge, caught up with Tejasvi Addagada, chief data officer at HDFC Bank, to discuss the various aspects of data impacting enterprises today.

Tapping the business value of data while keeping it secure is a complex balancing act. How can IT leaders convert data into dollars while ensuring its security?   

Addagada: A well-desired culture change of data awareness in an organization can be achieved through data democratization, a science that makes data accessible to anyone. By making data available and easily accessible, revenue streams can be improved through direct and indirect monetization of data. 

Data protection enables responsible data consumption on the heels of data democratization. Even though a data marketplace cannot provide free access to all data, there can be risk-based controls that must be actively managed. A few of these controls are privacy, security, authentication, encryption, entitlements, user access management, device management, and data rights management. 

New Privacy laws are coming into force while existing ones are under constant review. Technology leaders must account for the laws of every geography they do business in as a breach can bring about strong penalties. How can data officers meet regulations confidently? 

Privacy policy is constantly evolving across geographies, towards providing more control for customers on their personal data yet letting companies and public authorities share what is required for efficient governance, better service, and public good. Privacy engineering as a science must cater to providing geographical awareness that is backed by technology advancements like catalog, privacy, and security analytics. 

Assessment of the threat surface area begins with determining the classification of personal data in a geographical area. It is crucial that the catalog has the intelligence to apply geographical rules to classify the personal data, since what constitutes personal data differs between countries. As an example, financial information may be considered sensitive personal data in India but not in Europe.  

Over 137 countries have legislation to protect data and privacy. The data office can formalize, as part of the overall breach incident response, the integration of privacy intelligence and thereby privacy reporting tasks that have geographical context. Further, data offices can partner with the legal teams to ensure compliance with regulatory requirements. 

Siloed data undercuts its value. What approach should IT decision makers undertake to ensure end-to-end data discovery process across the network?  

If data is siloed, it cannot be used for developing insights and products. For an organization that is yet to invest in managing its data and thinks centralization is costly or a bottleneck, a data mesh architecture is a decentralized approach at its core, with its domain team ingesting its operational and analytical data and developing data products. 

However, even in a decentralized setup, data needs to be discovered, as what is not known cannot be used. Information Technology as a function will have to support data discovery platform with an objective to understand the technical data estate that can then be defined as meaning by domain teams. 

The implementation of data governance is both imperative and challenging to prevent multiple versions of the truth with an organization. How can proper data governance be ensured?  

From the initial concept of corporate governance, IT governance has evolved into the recent concept of data governance. Globally, the adoption of cloud services, the evolution of modern data stacks, and improved data literacy have led to a greater interest in governing data over the past years. 

Implementing data governance is necessary to get sustainable value from data. A subfunction can be formalized as an authorized provisioning service. It can support activities that help ensure that a data element can be rightfully sourced from a designated provisioning point. In addition, it can have the domain team express their trust in certifying data as a system of record as well as authorized to provision. 

Other technologies that can help the identification and certification of single version of truth are data discovery, profiling, quality, and observability, to name a few. 

If there are multiple values to properties of an entity like a customer, technology like master data management can translate the know-how of operational personnel into prioritization and survivorship rules that can create and maintain a version of the truth that can be consumed universally within an organization. 

Data-driven projects demand a substantial investment of budget and resources. How can data officers justify both?  

Investments into data capabilities and development of data products have increased multifold over the past years. This requires investments into tools as well as commissioning people as well as augmented knowledge workers like consultants along with setting up new processes as well as interventions. 

Formalizing management of data through data governance can increase transparency, accountability, responsibility, independence, and fairness in implementing corporate governance. One crucial aspect of formalization from data offices is assessing return-on-investment on investments and maintaining the value of data assets. 

What tips would you share with IT leaders looking to establish a data strategy and direction for their companies?  

The 1994 Hawley Committee report first identified data as an asset, defining it as ‘data that is or should be documented, and that has value or potential value.’ Data offices can focus on the decision rights related to the data assets and the network of relations to ensure data is qualitative, consistent, usable, secure, protected, and yet available.  

In the past decade, the interest in data management has increased multifold with the evolution of business models that are driven by data along with the evolution of the modern data stack and cloud capabilities. This has in fact resulted in a need for improved data literacy around the globe. Industry bodies like DAMA, EDM Council, along with other data communities are providing global literacy around benefits of managing data with standard frameworks.

During the process of determining the company’s goals, the board is entrusted with exercising critical judgment, while the data office is responsible for designing data strategy and policies to ensure that these goals that have data contribution are met. 

Information Technology is not to blame for the emphasis on people and process capabilities; however, it should be considered when planning future technology investments that can enable the achievement of the goals outlined by data and business strategy. 

IT leaders can keep up with rapid advancements in data technology including data collection, cloud storage and processing, machine learning operations, automation in data operations and data security to name a few domains of interest. Within the organization, the data officer can build a data-driven culture by imparting awareness around benefits of managing data activities through interactive newsletters, roadshows, board representation and formalization of people and processes that involve data. 

Chief Data Officer, Data Governance, Data Management, Digital Transformation

Data governance definition

Data governance is a system for defining who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets.

The Data Governance Institute defines it as “a system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”

The Data Management Association (DAMA) International defines it as the “planning, oversight, and control over management of data and the use of data and data-related sources.”

Data governance framework

Data governance may best be thought of as a function that supports an organization’s overarching data management strategy. Such a framework provides your organization with a holistic approach to collecting, managing, securing, and storing data. To help understand what a framework should cover, DAMA envisions data management as a wheel, with data governance as the hub from which the following 10 data management knowledge areas radiate:

Data architecture: The overall structure of data and data-related resources as an integral part of the enterprise architectureData modeling and design: Analysis, design, building, testing, and maintenanceData storage and operations: Structured physical data assets storage deployment and managementData security: Ensuring privacy, confidentiality, and appropriate accessData integration and interoperability: Acquisition, extraction, transformation, movement, delivery, replication, federation, virtualization, and operational supportDocuments and content: Storing, protecting, indexing, and enabling access to data found in unstructured sources and making this data available for integration and interoperability with structured dataReference and master data: Managingshared data to reduce redundancy and ensure better data quality through standardized definition and use of data valuesData warehousing and business intelligence (BI): Managing analytical data processing and enabling access to decision support data for reporting and analysisMetadata: Collecting, categorizing, maintaining, integrating, controlling, managing, and delivering metadataData quality: Defining, monitoring, maintaining data integrity, and improving data quality

When establishing a strategy, each of the above facets of data collection, management, archiving, and use should be considered.

The Business Application Research Center (BARC) warns that data governance is a highly complex, ongoing program, not a “big bang initiative,” and it runs the risk of participants losing trust and interest over time. To counter that, BARC recommends starting with a manageable or application-specific prototype project and then expanding across the company based on lessons learned.

BARC recommends the following steps for implementation:

Define goals and understand benefitsAnalyze current state and delta analysisDerive a roadmapConvince stakeholders and budget projectDevelop and plan the data governance programImplement the data governance programMonitor and control

Data governance vs. data management

Data governance is just one part of the overall discipline of data management, though an important one. Whereas data governance is about the roles, responsibilities, and processes for ensuring accountability for and ownership of data assets, DAMA defines data management as “an overarching term that describes the processes used to plan, specify, enable, create, acquire, maintain, use, archive, retrieve, control, and purge data.”

While data management has become a common term for the discipline, it is sometimes referred to as data resource management or enterprise information management (EIM). Gartner describes EIM as “an integrative discipline for structuring, describing, and governing information assets across organizational and technical boundaries to improve efficiency, promote transparency, and enable business insight.”

Importance of data governance

Most companies already have some form of governance for individual applications, business units, or functions, even if the processes and responsibilities are informal. As a practice, it is about establishing systematic, formal control over these processes and responsibilities. Doing so can help companies remain responsive, especially as they grow to a size in which it is no longer efficient for individuals to perform cross-functional tasks. Several of the overall benefits of data management can only be realized after the enterprise has established systematic data governance. Some of these benefits include:

Better, more comprehensive decision support stemming from consistent, uniform data across the organizationClear rules for changing processes and data that help the business and IT become more agile and scalableReduced costs in other areas of data management through the provision of central control mechanismsIncreased efficiency through the ability to reuse processes and dataImproved confidence in data quality and documentation of data processesImproved compliance with data regulations

Goals of data governance

The goal is to establish the methods, set of responsibilities, and processes to standardize, integrate, protect, and store corporate data. According to BARC, an organization’s key goals should be to:

Minimize risksEstablish internal rules for data useImplement compliance requirementsImprove internal and external communicationIncrease the value of dataFacilitate the administration of the aboveReduce costsHelp to ensure the continued existence of the company through risk management and optimization

BARC notes that such programs always span the strategic, tactical, and operational levels in enterprises, and they must be treated as ongoing, iterative processes.

Data governance principles

According to the Data Governance Institute, eight principles are at the center of all successful data governance and stewardship programs:

All participants must have integrity in their dealings with each other. They must be truthful and forthcoming in discussing the drivers, constraints, options, and impacts for data-related decisions.Data governance and stewardship processes require transparency. It must be clear to all participants and auditors how and when data-related decisions and controls were introduced into the processes.Data-related decisions, processes, and controls subject to data governance must be auditable. They must be accompanied by documentation to support compliance-based and operational auditing requirements.They must define who is accountable for cross-functional data-related decisions, processes, and controls.It must define who is accountable for stewardship activities that are the responsibilities of individual contributors and groups of data stewards.Programs must define accountabilities in a manner that introduces checks-and-balances between business and technology teams, and between those who create/collect information, those who manage it, those who use it, and those who introduce standards and compliance requirements.The program must introduce and support standardization of enterprise data.Programs must support proactive and reactive change management activities for reference data values and the structure/use of master data and metadata.

Best practices of data governance

Data governance strategies must be adapted to best suit an organization’s processes, needs, and goals. Still, there are six core best practices worth following:

Identify critical data elements and treat data as a strategic resource.Set policies and procedures for the entire data lifecycle.Involve business users in the governance process.Don’t neglect master data management.Understand the value of information.Don’t over-restrict data use.

For more on doing data governance right, see “6 best practices for good data governance.”

Challenges in data governance

Good data governance is no simple task. It requires teamwork, investment, and resources, as well as planning and monitoring. Some of the top challenges of a data governance program include:

Lack of data leadership: Like other business functions, data governance requires strong executive leadership. The leader needs to give the governance team direction, develop policies for everyone in the organization to follow, and communicate with other leaders across the company.Lack of resources: Data governance initiatives can struggle for lack of investment in budget or staff. Data governance must be owned by and paid for by someone, but it rarely generates revenue on its own. Data governance and data management overall, however, are essential to leveraging data to generate revenue.Siloed data: Data has a way of becoming siloed and segmented over time, especially as lines of business or other functions develop new data sources, apply new technologies, and the like. Your data governance program needs to continually break down new siloes.

For more on these difficulties and others, see “7 data governance mistakes to avoid.”

Data governance software and vendors

Data governance is an ongoing program rather than a technology solution, but there are tools with data governance features that can help support your program. The tool that suits your enterprise will depend on your needs, data volume, and budget. According to PeerSpot, some of the more popular solutions include:

Data governance solutionDescription and featuresCollibra GovernanceCollibra is an enterprise-wide solution that automates many governance and stewardship tasks. It includes a policy manager, data helpdesk, data dictionary, and business glossary.SAS Data ManagementBuilt on the SAS platform, SAS Data Management provides a role-based GUI for managing processes and includes an integrated business glossary, SAS and third-party metadata management, and lineage visualization.erwin Data Intelligence (DI) for Data Governanceerwin DI combines data catalog and data literacy capabilities to provide awareness of and access to available data assets. It provides guidance on the use of those data assets and ensures data policies and best practices are followed.Informatica AxonInformatica Axon is a collection hub and data marketplace for supporting programs. Key features include a collaborative business glossary, the ability to visualize data lineage, and generate data quality measurements based on business definitions.SAP Data HubSAP Data Hub is a data orchestration solution intended to help you discover, refine, enrich, and govern all types, varieties, and volumes of data across your data landscape. It helps organizations to establish security settings and identity control policies for users, groups, and roles, and to streamline best practices and processes for policy management and security logging.AlationAlation is an enterprise data catalog that automatically indexes data by source. One of its key capabilities, TrustCheck, provides real-time “guardrails” to workflows. Meant specifically to support self-service analytics, TrustCheck attaches guidelines and rules to data assets.Varonis Data Governance SuiteVaronis’s solution automates data protection and management tasks leveraging a scalable Metadata Framework that enables organizations to manage data access, view audit trails of every file and email event, identify data ownership across different business units, and find and classify sensitive data and documents.IBM Data GovernanceIBM Data Governance leverages machine learning to collect and curate data assets. The integrated data catalog helps enterprises find, curate, analyze, prepare, and share data.

Data governance certifications

Data governance is a system but there are some certifications that can help your organization gain an edge, including the following:

DAMA Certified Data Management Professional (CDMP)Data Governance and Stewardship Professional (DGSP)edX Enterprise Data ManagementSAP Certified Application Associate – SAP Master Data Governance

For related certifications, see “10 master data management certifications that will pay off.”

Data governance roles

Each enterprise composes its data governance differently, but there are some commonalities.

Steering committee

Governance programs span the enterprise, generally starting with a steering committee comprising senior management, often C-level individuals or vice presidents accountable for lines of business. Morgan Templar, author of Get Governed: Building World Class Data Governance Programs, says steering committee members’ responsibilities include setting the overall governance strategy with specific outcomes, championing the work of data stewards, and holding the governance organization accountable to timelines and outcomes.

Data owner

Templar says data owners are individuals responsible for ensuring that information within a specific data domain is governed across systems and lines of business. They are generally members of the steering committee, though may not be voting members. Data owners are responsible for:

Approving data glossaries and other data definitionsEnsuring the accuracy of information across the enterpriseDirect data quality activitiesReviewing and approving master data management approaches, outcomes, and activitiesWorking with other data owners to resolve data issuesSecond-level review for issues identified by data stewardsProviding the steering committee with input on software solutions, policies, or regulatory requirements of their data domain

Data steward

Data stewards are accountable for the day-to-day management of data. They are subject matter experts (SMEs) who understand and communicate the meaning and use of information, Templar says, and they work with other data stewards across the organization as the governing body for most data decisions. Data stewards are responsible for:

Being SMEs for their data domainIdentifying data issues and working with other data stewards to resolve themActing as a member of the data steward councilProposing, discussing, and voting on data policies and committee activitiesReporting to the data owner and other stakeholders within a data domainWorking cross-functionally across lines of business to ensure their domain’s data is managed and understood

More on data governance:

7 data governance mistakes to avoid6 best practices for good data governanceThe secrets of highly successful data analytics teams What is data architecture? A framework for managing data10 master data management certifications that will pay off

Big Data, Data and Information Security, Data Integration, Data Management, Data Mining, Data Science, IT Governance, IT Governance Frameworks, Master Data Management

When it comes to data, the first question isn’t whether you can measure something, it’s whether you should. What you can or should measure impacts what you can do as a business, potentially affecting your business model. Along with respecting regulatory compliance requirements and the privacy rights of individuals, it’s necessary to consider the business value of data. You can’t run a business if you’re unsure about data protection mandates or what can be measured. That’s why data governance must underpin the business model and strategy. It needs a seat in the executive suite.

The introduction of GDPR and other data protection regulations have forced every business to be aware of data privacy boundaries: What data can be measured and stored, and who has access? Data governance ensures only authorized individuals have access to specific data, with controls to protect sensitive data such as personally identifiable information (PII).

Getting it wrong has serious legal, financial, and reputational implications for your business. A strong legal team with data privacy experience is fundamental to understanding the risk and interpreting what laws affect your business. It’s a complex landscape with no single regulatory body and rules that vary from country to country.

There must be a specific group within IT operations, a data team, that ensures your business collects and stores the right information and controls accessibility. With those guardrails in place, only then can a data analyst or data scientist safely access and interpret that information to create business value.

The Benefits of Data Governance

Data governance delivers a straight quantifiable return on investment with improved operational efficiency and reduced business risk. For example, having employees searching through reams of data that have no impact on business outcomes is a waste of time and money. But with structured policies in place that determine who should have access to what data, you can avoid that problem. Plus, access to confidential information is carefully controlled, reducing the risk of costly data breaches and compliance failures while providing measurable financial benefits. Effective data governance also creates a competitive advantage. As a compliant business, you’re able to enhance your brand by building trust with consumers and partners.

Key Steps to Building a Data Governance Strategy

Comprehensive data governance must be planned and implemented as early as possible. Here are key steps to building an effective strategy:

Appoint a data champion on the executive team to lead the charge and incorporate data governance into your business.Build SMART (specific, measurable, achievable, relevant, time-bound) data goals that add business value.Develop a data dictionary with a well-documented glossary of metrics for your business.Categorize and determine what data is confidential to reduce legal risk, improve operational efficiency, and build a competitive advantage.Establish privacy and governance policies to ensure you collect the right data at the right time and limit access to necessary individuals.Build infrastructure and systems to back up your policies along with the budget to support them.Base all infrastructure and data platforms on security to ensure data is used responsibly at all times.Communicate with the business. Data governance should be well understood by company executives and respected as a critical part of day-to-day operations.

Streamlining Data Use

Data access can be streamlined by establishing workflows that automatically route requests to the right people and instantaneously grant access once approved. This takes pressure off the data team, empowers data owners, and ensures everything is monitored and governed.

Preparing for the Future

Data privacy is complicated. Security will continue as an essential part of the data governance journey. Data governance must continually evolve in step with regulatory changes and new business opportunities. Subsequently, businesses should consider future scenarios, create a multi-year plan and shore up data protection defenses.

To achieve enduring success, companies must have the technology, people, and processes in place to support data governance, enable analytics, and drive business growth. Get your data governance program blueprint for the five components every data governance program must have, including pitfalls to avoid and six best practices to employ. Download the whitepaper.

Data Governance

How do you become data-driven? It’s a question that seemingly has infinite answers. That’s why many companies flounder in the ambiguity of data-driven initiatives absent of concrete, actionable focus areas. Forward-thinking leaders are strategically focused on a particular data-driven initiative — self-service data access and governance.

But even for companies who’ve succeeded in pinpointing the core data-driven initiative of self-service data sharing, creating a plan and implementing it is exponentially easier said than done. Why? The dual mandate. It’s about much more than just collecting, storing, and processing data. IT, security, and privacy teams need to provide fast, agile data access to reduce time to insights while maintaining compliance and regulatory requirements. So, how do architects achieve and maintain the right balance of security and speed? How do they empower analytic and data science teams with safe and timely access to insights? Swing the pendulum too far to one side — opening the data floodgates to give teams data as fast as possible — or too far to the other side — locking data down with overly stringent policies — leads to severe business, security, and compliance consequences. What’s the key to the speed-security balance?

Balancing data democratization with security, privacy, and compliance

The key to successfully meeting the dual mandate of agile and secure data access is comprehensive, enterprise-wide data governance. 

Escalating privacy regulations plus evolving consumer preferences, on top of internal security requirements, leave little room for error in an organization’s responsible data usage. In the face of increasingly tough compliance regulations, the default approach for IT and security teams has been a tight lockdown of data to ensure compliance and security. Without an enterprise-wide, centralized system of accountability, privacy and security teams often deny access to personally identifiable information (PII) and other sensitive data. This lack of analytical agility is a major blocker to becoming data-driven and a significant, growing source of friction between teams since business users, data scientists, and analysts demand rapid access to a wide swath of data.

Then there’s the challenge of the expanding, diverse, and hybrid multi-service and multi-cloud data estate requiring management and data access policies. 

Unified data security and access governance

Savvy organizations have had an epiphany. They realize data access governance must be one of the top disciplines they need to master for compliant data at scale. Most enterprises have some form of data access governance in action, and those with automated execution have separated themselves from the pack. From onboarding new data or new users to a 1,000-fold reduction in the number of policies, enterprises that automate reap massive cost savings and operational efficiencies.

Unified data access governance grants a singular experience for creating, managing, enforcing, and executing policies. This unified approach is essential to modernizing data architectures, meeting increasingly stringent regulations, enhancing operational efficiency, and keeping data flowing with secure agility. 

So, what are the critical elements of a unified data security platform?

Universal data coverage: Create policies centrally. Consistently and natively enforce those policies to reduce complexity across hybrid cloud multi-service data estates. Build once, deploy everywhere.Transparent to end users: No impact to query performance and no need to make changes to end-user queries when leveraging native integration and enforcement of policies across diverse data services.Automated: Policies are automatically translated into data service-specific commands. Built-in approval workflows automate access requests and new policy creation.Based on open standards: Leverages the proven Apache Ranger architecture to provide the broadest range of pre-built integrations with structured and semi-structured data sources as well as identity management solutions.Future-proof: Easy to add new data sources. Built-in support for industry compliance and regulations.

Where to start your unified data security journey

Privacera is a Unified Data Security Platform founded by the creators of Apache Ranger and Apache Atlas. With build once, deploy anywhere capabilities, Privacera empowers enterprise users to holistically secure and protect data with consistent and native enforcement across hybrid cloud data estates. Privacera supports the entire lifecycle of data access and security governance with an automated solution that provides sensitive data discovery, fine-grained access control, distributed native policy enforcement, and extensive auditing and reporting. All delivered through a single pane of glass.

See for yourself why Fortune 100 enterprises trust Privacera’s unified data access governance — request a demo today.

Data and Information Security

Every company and government entity is tasked with striking a critical balance between data access and security. As Forrester’s Senior Analyst Richard Joyce stated, “For a typical Fortune 1000 company, just a 10 percent increase in data accessibility will result in more than $65 million additional net income.” As the need to become more data-driven accelerates, it’s imperative enterprises equally balance privacy and governance requirements.

To achieve this balance, we need to change how we perceive data security. Amidst growing friction between teams — i.e. those who create and manage data access policies and those who need data to perform their duties — we must accept security, IT, and privacy teams want to provision as much data as possible. But those teams face constraints and compliance complexity.

Traditionally, data security, privacy, and regulations have been thought of as a cost center expense. Instead, we need to look at data security as the means for positive change, a driver for greater data accessibility, enhanced operational efficiency, and actual business value.

Many remain far short of the goal

Enterprises of all sizes struggle with the shift. NewVantage Partners’s Data and AI Leadership Executive Survey 2023 found less than a quarter of firms reported a data-driven organization or data culture. And in the State of Data and Analytics Governance, Gartner suggests by 2025 80 percent of organizations seeking to scale digital business, including analytical initiatives, will fail because they don’t modernize their data and analytics governance.

Data access drives growth. So, what’s the reason for low data-culture adoption? To be truly data-driven requires tight collaboration between many different functions, and there’s a lack of certainty regarding individual-role responsibilities. Strategic gaps must be addressed.

The reality of data security and access

When it comes to data security and access, companies are typically either:

Overly restrictive on data access. Data security is seen as an impediment to overall company growth. This is typically due to data, organizational, and technological complexity.Or, overly focused on perimeter and application defenses, leveraging cyberdefenses and coarse-grained identity and access management (IAM). Data systems are open to exploitation in the event of a breach.

Most experience the worst of both these scenarios, where data security and access are simply broken — inconsistent, atomistic.

A primary challenge of solving the data democratization balancing act lies in the complex web of internal and external privacy, security, and governance policies. They change over time and need to be applied and maintained consistently and efficiently across business teams.

In the middle are the technical teams managing the complex data and analytical system. Due to constraints, security, privacy, and data management teams default to a tight lockdown of data to ensure compliance and security. It’s not any one team’s fault, but a major blocker to becoming data-driven.

Unified data security platform

Siloed, decentralized, inefficient, unclear roles and responsibilities, and an absence of a holistic strategy. So, what’s the solution as more companies face costly data breaches and low data usability rates? An enterprise-wide, scalable strategy that leverages a unified data security platform. One that includes integrated capabilities to simplify and automate universal data security processes across the entire data and analytic ecosystem. With the ability to discover and classify sensitive data, data attributes can be used to automatically deliver instantaneous data access to authorized users. Proper data security governance helps teams get access to more data faster.

Additional data masking and encryption layers can be added to make sensitive data available for analytics without compromising security. Even if a breach occurs, fine-grained access limits exposure, and audit capabilities quickly identify compromised data.

Executing a proper data security strategy provides the last mile of the data governance and cataloging journey. All of it key to the balancing act of data democratization, with comprehensive data governance enabling faster insights while maintaining compliance. 

Enterprise-wide governed data sharing

Privacera helps Fortune companies modernize their data architecture via a holistic, enterprise-wide data security platform and automated data governance. A data security platform empowers the data democratization you need to increase data usability and nurture your data-driven culture. Analysts and business units get more data faster. IT liberates time and resources. Security and privacy teams easily monitor and implement data security policies.

Learn more about achieving modern data security governance and democratized analytics for faster insights here.

Data and Information Security

By Milan Shetti, CEO Rocket Software

If we’ve learned anything over the last few years facing a global pandemic, stalled supply chains, rising inflation, and sinking economies, it’s that change is the new normal in today’s markets.

In response, organizations have invested heavily in digital transformation. IDC forecasts that global spending on digital transformation will reach $2.8 trillion by 2025 — more than double what was spent in 2020.

As organizations amp up their digital transformation initiatives, which are critical for survival in today’s business climate, they must also consider how to modernize and migrate sensitive data and how it is managed and governed. C-suite leaders must have confidence in the data they have on hand to fuel business processes, deliver customer and employee experiences, and improve their operational analytics and insights.

Given the volume of data most organizations have, they need agile technologies that can provide a vast array of services to streamline content management and compliance, leverage automation to simplify data governance, and identify and optimize all of their company’s valuable data.

Ultimately, when evaluating automation technologies, your business needs software that will enable teams to move quickly and easily identify high-priority, sensitive data and to identify and remove redundant, obsolete, and trivial content (ROT) to remain compliant with complex regulatory demands. 

With organizations grappling with how best to streamline data management and compliance, there are four key considerations in doing it effectively.

1. Identification

Businesses need fast and accurate analysis of all their content. Organizations with content-rich processes should look for flexible and scalable automated solutions that can deliver a broad classification of content — reducing the chances of important information slipping through the cracks and allowing teams to quickly identify more types of sensitive data.

2. Action

To support compliance with a governance-first approach to content-rich process automation, businesses must be vigilant when it comes to managing the retention and privacy of documents. This is achievable by automating as much governance decision-making and manual processes as possible. Utilizing automation technology to automatically govern content-rich processes and eliminate mundane, tedious, and repetitive tasks, teams can eradicate many opportunities for human error and free up employees and resources to increase efficiency. 

3. Access

One of the biggest threats to a company’s sensitive data is accessibility. Easily accessible, less secure data is vulnerable to hackers and malware, which, if breached, can have catastrophic consequences for an organization. Teams must look for automation software that can set time and geography parameters around employee accessibility, deny access should a network be breached, and allow redaction across the entire enterprise. 

4. Lifecycle

To successfully manage the entire content lifecycle, businesses must have the ability to place content on legal hold, manage the over-retention of documents, and enable encryption at rest. Rocket Software’s Mobius Content Services platform  delivers this by not only allowing report management teams to encrypt and quickly put content on legal hold, but also providing storage reduction to avoid over-retention and ROT. Mobius can also easily integrate into many shared drives and collaborative platforms to streamline ROT and site auditing.  

With investment growing in digital transformation, organizations must stay competitive — and, for many, data is becoming the critical differentiator. By implementing the right tools now for data automation governance, organizations will be better positioned to maximize it and stay compliant. To learn more about Rocket’s content management solutions, visit the product page.

Data Management

What is ESG and why is it important?

Environmental, social, and corporate governance (ESG) is a strategic framework for identifying, assessing, and addressing organizational objectives and activities ranging from the company’s carbon footprint and commitment to sustainability, to its workplace culture and commitment to diversity and inclusion, to its overall ethos regarding corporate risks and practices. It’s an organizational construct that’s become increasingly important, especially to socially responsible investors who want to invest in companies that have a high ESG rating or score.

The three main pillars of ESG include:

Environmental commitment: This includes everything around a company’s commitment to sustainability and the impact it has on the environment, including its carbon emissions and footprint, energy usage, waste, and environmental responsibility.Social commitment: This covers a company’s internal workplace culture, employee satisfaction, retention, diversity, workplace conditions, and employee health and safety. Companies with happy and healthy employees perform better and are viewed as a stronger investment.Corporate governance: A company’s commitment to governance includes compliance, the internal corporate culture, pay ratios, the company ethos, and transparency and accountability in leadership. Investors are interested in companies that can keep up with changing laws and regulations, and that have a commitment to equity and equality in the workplace.

Your company’s environmental efforts will only become more important as the effects of climate change continue to grow. Companies that are more prudent with resources, such as water, coal, oil, and electricity, are predicted to fare better in a future where those resources may be limited in certain areas. Similarly, a company’s social profile is more important than ever in a time where a single Tweet can negatively impact an entire brand or company’s reputation. And as more laws and regulations arise around technology, most notably GDPR, a strong commitment to proper governance and compliance will be crucial for keeping a company operating and in business.

ESG score and rating

ESG scores are determined by third-party firms that have their own methodologies to identify a company’s ESG rating. Currently, this isn’t a process that is streamlined across the board, and different companies have their own way of determining a company’s ESG rating. ESG scores and ratings are important because they give an overall picture of the company’s performance in these three areas.

These scores help inform potential or current investors and can even help inform governments as to whether they want a company operating within its borders. A higher ESG score also aligns with a company being more sustainable, having happier employees, and being more productive and profitable overall due to better working conditions. Typically, ESG scores are rated from 0 to 100 with anything above a 70 classified as a “good” ESG rating, while anything below 50 is considered a “bad” rating. Some systems, however, rely on a letter-based scoring system where a grade of C is the worst and A is the best.

ESG investing and analysis

Because ESG has become a large part of the investment process for businesses, having an ESG analysis performed for your company can go a long way to showing investors that your company is worth their time and money. Investors have started looking at the overall values of the companies they’re investing in, and brokerage firms and mutual fund companies have responded by offering exchange-traded funds (ETFs) that track ESG ratings.

ESG investing is often called impact investing, sustainable investing, responsible investing, or socially responsible investing (SRI). ESG investors want to invest in companies that have a commitment to accountability, sustainability, and that are overall good places for employees to work. Companies negatively contributing to the environment, social responsibility, or governance, aren’t viewed favorably by these investors as a solid long-term investment.

What does a good ESG score mean for business?

For companies looking to improve their ESG rating, one big change is switching to smart building technology to manage waste and improve efficiency. Smart building technology can help automate climate control, lighting, and monitor the building for efficient energy use. Using smart technology to manage your building’s energy consumption can also improve worker’s conditions, by ensuring that they’re in a comfortable environment, and can reduce potential waste by adjusting the lighting or temperature in areas of the building not in use. Automating building maintenance can also reduce waste, with sensors available to alert the staff when something breaks or needs repairing, detecting any issues with the building, and improve sustainability.

Companies with a good ESG rating also have a strong commitment to their workers, ensuring fair workplace practices, a commitment to diversity and equity, and creating an environment where everyone feels welcome and accepted. This also includes having safe workplace conditions, benefits for employees and strong support for employee’s overall well-being. Your company’s reputation relies not only on external interactions with clients and customers, but also on having high employee satisfaction within the company. This can boost retention, recruitment, and even productivity since happier employees have been shown to work harder and more efficiently.

Companies with a high ESG rating are also going above and beyond in areas around governance — typically doing more than is required of them in terms of compliance. They have high transparency with investors and employees and create an environment that allows for open and direct feedback. These companies aren’t just following the current laws and regulations, they’re looking ahead to what rules and laws might be implemented in the future and are making the call to make those changes early on. These companies also have a strong commitment to authentic leadership and holding leaders accountable within the organization.  

What does a bad ESG score mean for business?

Companies that have poor sustainability or high carbon footprints typically fall on the lower end of the ESG rating scale. These companies struggle with their overall environmental impact and have a history of energy-intensive practices and procedures. There is often a lack of automation, poor or bare-minimum compliance, and sometimes even unsafe or dangerous working conditions. These companies will have high turnover, poor retention rates, and employees reporting low levels of satisfaction.

At companies with low ESG ratings, there’s also often a lack of transparency with employees and investors, sometimes even going as far as to hide important or relevant information. These companies often do just enough on the side of governance to remain compliant but aren’t making the effort to do any more than the minimum. Companies with a low ESG score simply aren’t appealing to socially responsible investors, and they will struggle to be viewed as a solid long-term investment by this growing base of investors.

ESG challenges

There are some criticisms of ESG ratings — most notably that the scores and analysis aren’t streamlined and there can be variations between how companies give out ratings. ESG ratings also encompass a lot of broad topics in the workplace, making it difficult to standardize the scores across every company and industry. It can also be difficult for older companies to make the changes necessary for a high ESG score — especially around automation and building changes.

Diversity and Inclusion, Green IT, IT Governance

Whenever CIOs talk about using low-code tools to enable citizen development, a recurring theme is how to ensure appropriate governance of the applications produced.

Microsoft has heard them loud and clear, and at its Ignite 2022 show in Seattle this week, it introduced a range of new governance capabilities and other enhancements for its Power automation platform.

It also previewed new management capabilities for automated workloads in its Entra Identity governance tool, new compliance reporting tools for monitoring the roll-out of Windows updates on enterprise desktops, and a host of updates to its Azure cloud platform.

Power to the people

Even low-code may seem like a foreign language to some workers, so Microsoft has been experimenting with ways to enable them to generate workflows with Power Automate, describing in natural language what they want to achieve and leaving an AI to build the corresponding flow. The feature, now in preview, will still require workers to set up connectors for the inputs to and outputs from the automated workflow, and to tweak it to ensure it behaves as intended.

Given the scope for ambiguity in natural language, CIOs may want to reinforce governance of applications created in this way — and with the new Managed Environments for Power Platform, Microsoft will help them do just that. First previewed in July, it’s now generally available.

Checks and balances

A new Weekly Digest feature enables admins to see how much use each Power app is getting, directing attention to the most used and reclaiming resources from unused ones.

There are also new tools to limit sharing of apps by security group or number of users, so apps don’t go viral across the enterprise until they’ve been thoroughly tested and channels are set up to communicate changes to them.

Those features will be important to CIOs, according to Kyle Davis, a VP and analyst at Garner covering low-code adoption.

“When it comes to citizen development and low code, governance is front and center,” he said.

Managed Environments is more of an evolution than a revolution, he added, saying, “There really isn’t anything there that someone couldn’t build for themselves if they wanted to.”

Indeed, Managed Environments has its origins in Microsoft’s Automation Center of Excellence starter kit, which enables enterprises to define their own best practices for Power app governance. But as the company itself acknowledges, customers found that this required a lot of manual work and expertise.

Davis said that CIOs looking for the simplicity of low-code development are often also looking for similar simplicity in its management. Managed Environments’ ability to deploy controls in a few clicks will be appealing. “It makes it easier to do things at scale,” he said.

The option to limit usage of an app to a few cubicle neighbors makes sense too, he said, because, “You can just yell across the hallway, ‘Hey, I’m going to make a change,’ and everyone’s aware,” while a change departmental app would need to go through a proper process. “What Microsoft offers with Managed Environments is something that you don’t really get from other low-code vendors in a similar space,” he said.

Environmental awareness

Not all the news at Ignite concerned Power Platform, however. Microsoft also had plenty to say about updates to its Azure cloud infrastructure offering, and an update of Syntex, its AI content management tool. Computerworld has the low-down on Syntex, but CIOs will want to be aware of other innovations that may help them trim management budgets or redeploy staff away from routine tasks.

There are new features for Microsoft Sustainability Manager, an environmental reporting tool for enterprises, including an extended data model to assist them estimating so-called Scope 3 emissions of greenhouse gases by their entire supply chain, and an Emissions Impact Dashboard for Microsoft 365 showing greenhouse gas emissions resulting from their use of Microsoft’s SaaS productivity suite.

Azure Deployment Environments, previewed at the show, offer enterprises a way to apply project-based templates to each development environment they spin up. Much like the managed environments Microsoft is introducing for low-code applications, these new templates will help development teams consistently maintain best practices across projects with minimum effort, the company said.

Cost cutting

Another management feature, Azure Automanage, is now generally available for Azure VMs and has new capabilities including the ability to patch VMs without rebooting, reducing downtime costs.

For variable computing workloads in the Azure cloud, Microsoft is introducing the ability to mix Standard and Spot Virtual Machines in the same scale set, enabling CIOs to profit from the deep discounts available for Spot VMs as their computing needs vary.

But Microsoft also wants customers to see Azure as an economical solution for base workloads. Azure savings plan for compute, available later this month, offers a discount to customers who commit to spending a minimum hourly amount on computing resources for one to three years; consumption above the minimum commitment will be charged at regular rates.

Staying Intune

Microsoft is reshuffling its branding around endpoint management: Intune, previously a component of its enterprise mobility management offering, is now the umbrella brand for its whole range of endpoint management products such as Configuration Manager — with the promise of more to come. At Ignite, the company is previewing new endpoint privilege management capabilities such as the ability to temporarily grant users limited admin permissions, and automated app patching by combining Intune with Microsoft Defender. In January 2023, it will add Microsoft Tunnel so employees can securely access company resources from their own devices without having to enroll them first. And then in March 2023, a new bundle of premium endpoint management services called Advanced Management Suite will be introduced.


Modernizing and future-proofing your analytics

Executive-level commitment to a broad data governance strategy is gaining momentum in order to balance technology, people, and processes. In a recent Gartner survey, 78% of CFOs said they will increase or maintain enterprise digital investments. And a Gartner forecast states worldwide IT spending will grow 3% in 2022.

The counterbalance to this positive trend comes from NewVantage Partners’ Data and AI Leadership Executive Survey 2022, which states only 26% of respondents claim to have reached their data goals. The gap between data winners and stragglers is widening.

Technology balance

One look at the Andreessen-Horowitz framework for the modern data infrastructure and you see data ecosystem complexity is becoming a nightmare to manage. The ability to properly secure this new smorgasbord of data platform choices increases the management challenge.

Andreessen-Horowitz framework for the modern data infrastructure

People balance

Until recently, data management and analysis was almost solely an IT function. Today, the business ranks are filled with similar skills with data stewards, data analysts, and data scientists tasked to build a data security governance platform. Meanwhile, CISOs, CIOs, and CDOs are thinking about compliance requirements and implementation. And IT has seen dwindling resources to cater to data consumers. While there are many positives regarding the expansion of data-related roles, it has also meant dwindling IT resources directly dedicated to data consumers, despite IT being tasked with servicing a growing data landscape.

Process balance

On-premises technologies have moved to the cloud, often in an à la carte, buy-as-you-go style, without significant forward-looking strategy. In addition, a stream of new regulations demands new processes to regulate and assure the responsible discovery, access, and use of data. Add to this the federation of our data expertise into the business functions, and organizations now require a scalable approach to data governance processes.

The growing cost of getting it wrong

While many proof points exist for the value of data and the positive impact, the cost of doing nothing or getting it wrong has gone somewhat unnoticed. Key considerations include:

The average cost of a security breach in 2022 is around $4.35m, compared to $3.8m two years ago (Source: IBM’s Cost of a Data Breach Report 2022).Regulatory fines, such as GDPR, are becoming real with companies such as Amazon and WhatsApp reporting multi-hundred-thousand-dollar fines.Analyst, data engineer, and data scientist productivity remains a major challenge as they continue to report 80% of their time is spent on finding and getting access to the right data, as well as cleaning that data.The intangible cost of delayed business decisions because the projects are on hold or severely impacted and delayed.Loss of consumer trust once confidence is broken due to mishandling of data, causing lasting damages to a company’s brand as well as severe financial repercussions.

Modernizing your data security governance thinking

Modernization starts with thinking differently about the approach to people, processes, and technology.

Modernizing data security governance technology: Security and data governance need to exist across every part of the data lifecycle. Maintaining that security posture on a point-by-point basis is simply not viable. A broad-based data security platform that will bring you a centralized data security control plane across your entire hybrid data estate is required.

Modernizing the roles of your data stakeholders: Key stakeholders have expanded beyond the traditional experts employed by IT. Data experts live in the business. Data scientists in the business team are embraced, but data governance stakeholders have yet to receive the formal recognition they deserve. The data owners are business people. Formalize security and data governance objectives early. Empower your business data stakeholders to perform those objectives in a scalable and automated manner.

Modernizing your data governance processes: Gartner speaks extensively of the evolution of data governance from dictated (IT command and control) to distributed (everything left to be performed at the edges of the process). Implement a blended model where the system is based on federated responsibilities with centralized control and auditability.

Unified data security governance

AWS, Snowflake, Databricks, Azure and Google continue to deliver more choices on their ecosystems, which offer more opportunities for your business. But more choices inherently increase the difficulty of enforcing security across this increasingly diverse landscape. The only way to future-proof your analytics along with your security and privacy posture is through a unified data security governance approach. Privacera was co-founded by the innovators who led the charge in creating Apache Ranger™, one of the most widely used open source data security and access control frameworks. As the only scalable data policy management solution based on open standards, Privacera offers a proven way to future-proof, while preventing vendor lock-in. Read more about the immense benefits of a data security platform based on open standards.

Data and Information Security

In today’s dynamic world of work from anywhere, organizations are experiencing new pressure points. IT and security leaders find themselves grappling with extended enterprises of employees, contractors, and suppliers remotely located across the globe using an expanded set of technologies. The broad adoption of cloud apps, platforms, and infrastructure has led to a complete re-thinking of access, governance, and security.

While remote, extended enterprises accessing cloud-based technology bring potential risks, it also offers significant upside for businesses. CIOs have recognized how strategic their organizations can be in driving business growth, productivity, and reducing complexity by pushing rapid technology adoption and creating seamless, secure, and simple authentication and authorization experiences for their broad workforces.

Collectively, these changes have emphasized the need for a more holistic identity-first approach to technology adoption, implementation, and security. Much of that starts with understanding who has access to what, when they received access, and who authorized that access. That technology domain has traditionally been known as Identity Governance and Administration (IGA), but as new ways of working collide with new security paradigms, those definitions are shifting and evolving to match modern enterprise IT environments.

This broad need for IGA capabilities is well-founded, as enterprises are recognizing the side effects of distributed and fragmented user bases and tech stacks: a sharp rise in orphaned accounts that are a major security risk and a resource drain, and a lack of control and visibility into cloud application security posture, lacking clear reporting of access and any time constraints.

The weakness of traditional IGA systems

As companies start shifting to an identity-first approach to security, IGA is becoming a more sought-after capability for organizations requiring better visibility of identity administration and access entitlements across their IT infrastructure. This is a major departure from traditional, compliance-driven models, as IGA is being seen more as an enabler rather than risk mediation.

Traditional IGA solutions are primarily solving a legacy problem and were not built to manage identities in cloud-first IT environments. They lack the ability to easily integrate to modern applications and are challenging to implement, often taking 12-18 months to deploy, requiring professional services, and considerable maintenance costs along the way. The outcome is too often that traditional IGA solutions are bolted on and left alone, resulting in non-updated software and potentially with greater security holes than before. To make matters worse, legacy systems are generally designed with a small subset of users in mind, with user experiences that make broad adoption and education a significant challenge.

In a world where cloud technologies have democratized access and adoption, IGA solutions should make it possible for more users within an organization to compliantly engage with applications either as an end user or as an authorizer, ultimately driving the business forward.

The modern approach to identity governance

As enterprises continue to adopt more cloud technologies and work in a distributed environment across a broad set of users, IGA must evolve to enable rather than disrupt modern enterprises. IT leaders need a cloud-native, enterprise-grade solution that is approaching identity governance not as a bolt-on solution, but as one that has been foundationally incorporated into a broader identity-first security posture. To keep pace with today’s speed of innovation and adoption, a modern solution must be deployed in days, and be easy to use and maintain. Lastly, a modern IGA solution must deliver a seamless and frictionless experience for the workforce and help boost the productivity and agility of its IT organization.

Okta’s cloud-first approach to identity governance

As the first born-in-the-cloud identity provider, Okta has taken its modern approach to identity and access management (IAM) and applied it to IGA with Okta Identity Governance, which is now generally available. Okta Identity Governance is part of Okta’s broader workforce identity vision, unifying IAM and IGA to improve enterprises’ security posture, helping them mitigate modern security risks, improve their IT efficiency, and meet today’s productivity and compliance challenges.

Deeply integrated into Okta’s existing IAM solutions, Okta Identity Governance provides an unparalleled comprehensive view of every user’s access patterns. Enriched user context allows reviewers to not only simplify the access certification process, but also make informed decisions about user access ensuring only the right people have access to right resources. It meets users where they are by providing easy to use self-service access request capabilities, tightly integrated with collaboration tools built on a converged IAM and Governance solution, automating the provisioning of access to an enterprise’s applications and cloud resources.

With a network of 7,000+ pre-built integrations, Okta Identity Governance can provide intelligent and easy to use identity governance capabilities with the ability to automate complex identity processes, at scale.

Analyst firms and the federal government have agreed on the broad, foundational role identity plays in securing today’s organizations. Identity is the number one pillar of zero trust architecture, and that approach is built on the principle of least privilege with identity governance serving as a critical component. As organizations continue to adopt a zero trust framework, they are starting to realize the importance of moving away from a distributed identity architecture to a unified approach. Okta’s unified platform extends access and identity administration to include the key access governance tools that modern organizations need to mitigate modern security risks and improve IT resource efficiency. 

To learn more about Okta Identity Governance, visit the Okta blog.

About the Author

Paresh Bhaya is the Senior Director, Product Marketing for Identity Management business at Okta. He has been in the security industry for 10+ years and has experience in all phases of product development and marketing. He is passionate about security and you can always find him chatting about some deep security problem. Prior to Okta he was leading the Product Marketing efforts at Salesforce and worked at successful startups before that. He has an M.S. in Electrical Engineering from University of Texas.