Alex Solutions Director and Chief Product Officer Rainer Runge sat down with Karissa Breen, host of the KBI Podcast, to talk about data security.
We’ve summarised a few of the key topics of discussion here to serve as a written companion piece to the episode. Data security is a practice of increasing technological complexity and importance. Make sure you listen in by clicking here, or wherever you get your podcasts.
Data Integrity vs Data Security?
Karissa and Rainer discuss the nuanced definitions of data integrity and data security. The two concepts bear some similarities, which often leads to confusion about the capabilities of particular technologies or project scopes.
Data integrity refers to the validity and accuracy of how data represents its business meaning. Rainer puts it simply: If data values are accurate, then the data represents the real world faithfully, and is therefore data of integrity. For this to be the case, data must also be up to date, and business rules must be correctly applied to the data to reflect its real meaning. This can include both master and reference values such as product IDs, industry codes, channels and more. It’s also necessary for data to be complete in order to be data of integrity – individual records as well as aggregates across tables, application systems and organisations need to be whole and comprehensive.
On the other hand, data security encompasses the appropriate controls, access and uses applied to data. For data to be secure, it must be data of integrity that is both protected from access and available for its intended business purpose. This may seem contradictory, but Rainer concisely explains the concept known as the CIA Triad, the unity of the three core elements of data security. Here, confidentiality means the protection of sensitive information from unauthorized disclosure. Ensuring that only the right systems are able to modify data increases the integrity of the data by keeping it consistent and accurate. And last, protecting systems that support the data being operationalised ensures its availability to serve its purpose within the business. There’s a detailed discussion in the episode about different aspects of the Triad that sheds light on exactly what this looks like in practice.
Knowing what you need for Compliance
For an organisation to know it has sufficient data security for compliance, Rainer recommends starting with understanding the landscape. What needs protection? How is data classified? What are the key compliance requirements for your industry or environment? Once this is known, there needs to be clear accountabilities and boundaries for information security. These must be for the organization or on behalf of its customers per a consumer protection scheme such as the GDPR. This process involves countless sub-processes in data management. For this, you need a platform like Alex, which can rapidly identify and enable the removal of single points of failure, automatically scan and categorize sensitive data and kick off workflows to facilitate accountability.
The implications of not meeting compliance are significant. There’s a good discussion about how hefty fines are one aspect of risk. Reputational damage and loss of trust carries a variety of very real commercial consequences.
Are organizations doing this well enough? If not, how do they get there?
While some organizations are meeting compliance requirements – typically highly regulated bodies – others are not doing so well. Rainer notes that reluctance to implementing data governance regimes which include proper data security stems from the cost of compliance. But commercially, when comparing the financial penalties and reputational risk of non-compliance with the cost to establish a fit-for-purpose data governance regime, data security stands up as a business case. He also explains some of the flow-on benefits from having such a capability. The first step then, is to create this business case. There needs to be buy-in and commitment when the program is implemented. It’s not as simple as installing a tool and checking a box. Measure delivery of value from the program against the benefits called out in the business case. Both mitigation of risk as well as realising benefits such as efficiencies.
Rainer suggests that best practice for implementing such a program is to establish a data office which will govern and oversee the incremental implementation of appropriate data security measures. This is a rich discussion of one of the biggest questions executives have about data security and compliance and is a must-listen. It’s one thing to know that you need to get compliant. It’s another thing entirely to hear how best to do so from an expert in the field with many decades of experience supporting some of the world’s best companies with cutting-edge technology solutions.