bizdatavalue

This also leads to new types of business risk from data

at least a big part of it - the Chief Risk Officers at #pwcrisksummit look at this in a multi-dimensional way - security, privacy, governance, data protection are all on the table

Important to distinguish between data and information. The latter is ultimately what we leverage in business.

@tcrawford How do organizations distinguish in your experience?

@dvellante Fundamentally, there are only two dimensions: Getting access to the data and protecting the data (so that it is not misused).

@dvellante Unforutantely, they (broadly) don't make the distinction yet.

A new type of data risk is from big data and AI projects. These projects can have great outcomes for enterprises. Equally however, they can be used to identify key assets and issues, and extract small and highly valuable datasets that are difficult to protect.

@tcrawford do you see these 2 dimensions as counterpoised - i.e. more security means less access?

@tcrawford and consequently less business value?

Data is the new Oil: Data is to Oil as Information is to Gasoline and other refined products.

Whichever way you skin it the data still needs protecting. In Europe we will shortly have GDPR which changes data protection significantly

date value is at the core of what Congress is trying to get at with the #facebook activity

@dvellante Yes and no. Most users do see it that way. However, progressive #Infosec folks look to strike a balance were data is accessible, but protected.

@dvellante As with any unrefined product, data is just a raw material. Bits on a page. Its value ultimately comes when we process it.

The rights of an individual to the data they unwittingly provide is at the forefront of all newsfeeds right now & its a revelation to many how much they do 'give away'

@tcrawford Watched a Ted talk yesterday where the presenter preferred Data is the new Soil as it is the fertile ground for innovation

.@stu I actually think there are a couple of threads that are part of the FB issue: Data #privacy & Business Models that leverage data.

@robemsley We probably use far too many analogies.

@ChristianMcM indeed...imagine being zuckerberg - trying to innovate and getting crushed by congress - Andy Kessler wrote a great article in the wsj two days ago basically saying "what did you expect?"

Security and privacy should be imbedded into business processes which generate data, at least from tagging perspective; afterwards approach doesn't work. Rebuilding processes expensive, and enterprises are not willing to do it without external pressure.

@tcrawford Except that data is a catalyst: It can be applied many times without changing. Doesn't follow the laws of scarcity. Many, many implications.

@dvellante Its the lack of transparency that has irked people. They've just seen huge Facebook profits but now they are realising how it makes its cash

.@ChristianMcM I don't think the issue is rights to the data they provide. That has been made very clear. It is in the meta data of inferences that are made based on the data they provide. Who owns it and how can it be used?

@ChristianMcM I actually think this is a red herring. You are using a free service. You know they serve up ads. Put 2+2 together. We have to stop assuming (wrongly) that we control free services.

@tcrawford Maybe but the profiling of individuals as a result of what has been provided is waking many up

@tcrawford They my be free to use but many are making huge profits without sufficient transparency. Many don't realise what we know & understand about these services

@ChristianMcM And this is where the rub is. Doesn't Google do this too? Also there are many, many companies that have done this for a very long time. We have just been cavalier with what we share.

@tcrawford Agreed & Google plus many others also do this but people are now starting to understand this & question it. Will be all about how these org respond

Google is probably saying privately: "Please don't look our way. Please don't look our way."

@tcrawford I can imagine there has been a few tense internal meetings...

Mark Zuckerberg :-)

In all seriousness this is becoming a policy decision as much as technical

I would argue that no one person owns this responsibility. Everyone must be good stewards of the data they are entrusted to handle.

Interesting comments from the CROs at #pwcrisksummit today - one exec said "Risk management, including data protection, resides in the LoB. We in Risk are 'player coaches' and we try not to layer too much process onto the organization" - so it's a team sport - however..

my sense is when it comes to real issues of security and data protection (e.g. backup) it's the Security and IT teams that own the problems

@furrier Kinda true! Testimony absolutely will encourage CxO conversation about these issues globally.

@furrier very true - technology got us into this problem and process and people - along with tech - are the only way to really address it

Identifying the risks should probably come the CIO. Buisness responsibility for protection from lob execs

.@dvellante Unfortunately, this is a hot potato (or nuclear) issue that nobody wants to own. Probably rightfully so. But yet we all must take responsibility in our own way.

The LOB expects their data to be protected but decisions on how to achieve data protection come from the technology

.@dfloyer If you truly have a #CIO that understands the business, then yes, they can lead the charge. But many don't have enough knowledge, experience nor leverage to do it.

@tcrawford Agreed. In Europe with GDPR its really driving the agenda on this & how orgs manage it

It is not one person job. There should be committee of people CxO with Information and Security Architecture in hands. Leadership should come from most interested departments, it can be Legal in one and Operations in another type of business.

@dmitry_golubev agree on this point; the buck should stop with someone senior but it's an ops issue as much as anything but who is leading the ops implementations? that is the question

.@dvellante The challenge is that we DO need to leverage tech. But we need to do it in the context of the business we operate. Is your #CIO capable of that? Are any of the c-suite leaders?

the buck stops with the CEO imho

@furrier The buck always stops with the CEO. But there is often some collateral damage that accompanies the issue.

@furrier Yes & if there is a security breach its normally the CEO who takes the public fall for it with I imagine the CIO/CISO exiting more quietly.

this is a good question and I think it's an all of the above. These areas feed into an overall risk management/business continuity strategy and *directly* have an impact on brand - which is why it's so important

at the #pwcrisksummit - the execs here look at #cyber #regulatory risk and operational risk as items that need to be managed and feed into overall corporate brand impact

Recent events & public breaches tarnish long built corporate reputations & customer trust. As a result I see more CxO's talking about their data & how they manage/use it.

from a technology standpoint, need to be sure that regardless of location - SaaS, IaaS, or on-premises - that data can be protected. GDPR and all of the usual GRC is often the biggest stick for users to sort this out.

@ChristianMcM are CxOs becoming better versed in data-related issues?

For Buisness continuity backup/recovery. For data loss security/privacy

at the #pwcrisksummit I asked this question of CROs, CISOs and other CxOs and the best answer I heard was that LoB must take responsibility but a governance organization provides the framework, auditing activities and providing coaching

@ChristianMcM It feels like this issue is only going to keep getting bigger and bigger given the digital transformations taking place - seems like we're very early in the escalation

Today CxO have better access to external consulting for the issue. Expertise is growing in consulting community very fast as the question getting mature and more funding.

Yes & they are demanding answers to questions they have never asked before. Brand & reputation impact is key with shareholders now also requesting more information on how orgs are managing their data

@dvellante Absolutely & so many people are now asking questions & holes are being found which need patching. Overall the message on data held by orgs need to be agreed & consistent across the c-suite