Data Governance that Works for the CISO and CDAO
More than ever, Chief Information Security Officers (CISOs) and Chief Data & Analytics Officers (CDAOs) need to join forces around governance. Traditionally, the CISO needed to be concerned with perimeter security, not data directly. And the CDAO, usually could assume that others, mainly in IT, were concerned with data security. But today, the CISO must take an active role in defining an enterprise’s posture in collaboration with the CDAO to agree on data security strategy.
New data security categories from Gartner
In the Gartner Data Security Hype Cycle, Gartner shows two relative newcomers — Data Security Governance (DSG) and Data Security Platforms (DSPs) — in the early part of the Hype Curve. So, what exactly are these newcomers?
Data security governance: DSG is part of the larger data governance landscape that focuses on data security. Gartner defines it as data security, identity management, and application security. The other parts of data governance have to do with metadata management, data catalogs, data lineage, master data management, and data quality. Metadata management and catalogs are mainly focused on describing the data, while DSG is all about action such as enforcing security and policies.
This definition of DSG is the keystone to our point of view that the CISO and CDAO must align.
Data security platform: The DSP is the vehicle with which to achieve the data security component of DSG. Both Gartner and Forrester define DSPs as the convergence of data classification, access controls, masking, encryption, risk insights, workflows, and automation. A few drivers for convergence are:
- Data needs to be secured across its entire lifecycle, from ingestion to in-motion and then at rest.
- A comprehensive policy framework is needed across relational as well as semi-structured file systems.
- A single control plane is needed across your hybrid cloud landscape.
A change of perspectives
Getting the CDAO and CISO on the same page is imperative. Traditionally, the CDAO has focused on data consumption, driving data literacy, and getting value from data. In the on-premises world, data was in the data warehouse and secured via perimeter and application security.
Cloud disrupts this approach with disappearing perimeters. On top of that, the proliferation of data service choices (e.g. storage, compute, processing) means security enforcement is becoming a larger-than-life effort competing for scarce admin resources.
The end result? The CDAO has fast become a critical stakeholder in the effort to secure a new cloud of data assets.
What about CISOs? They’re focused on securing the perimeter and applications. But now, zero-trust frameworks are becoming the last mile of defense, and every user should only have access to the data they’re allowed to see. This modern stance means even if a user credential is compromised, the keys to the data kingdom are not compromised.
DSG provides a framework for CDAOs and CISOs to collaborate on delivering transformational business value from data while remaining compliant with the growing list of internal and external mandates.
5 practical initiatives for collaboration
- Jointly agree on security requirements throughout the entire data lifecycle.
- Prioritize business risks through a comprehensive data security framework.
- Define key performance indicators to ensure business value and security requirements.
- Establish a framework for holistic data policy creation and establish an approach to implement, simplify, and automate across your entire data estate.
- Build out phased implementation, rolling-out an initial use case, with plans to expand across the rest of the data estate.
Comprehensive data security and access governance platform
Privacera was founded on the vision to maximize the value enterprises get from data, balancing two key concepts:
- Empower analysts and data scientists with rapid self-service access to data.
- Maintain compliance with all privacy and security mandates.
Privacera manages security and access to all data throughout its entire lifecycle. Key capabilities include:
- Data discovery and classification
- Data access controls through fine-grained access policies
- Data masking
- Encryption
- Data security and risk insights
- Workflows, policy orchestration, and automation
Learn more about the only open standards-based data security platform.