4 minute read 24 Feb 2020
Scuba divers in cage observing caribbean reef sharks

How chief data officers could remove the tussle at the table

By Richard Watson

EY Asia-Pacific Cybersecurity Risk Consulting Leader

Cybersecurity leader in the EY Asia-Pacific region. Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.

4 minute read 24 Feb 2020

Convergence of privacy, security and data governance is a huge opportunity for companies today. But who will own this ambitious agenda?

Any digital transformation agenda requires the foundations of privacy, security and data governance to be aligned. But consider the overlap of privacy, cybersecurity and data governance. This convergence throws up many challenges for organizations to consider. Is our data safe from hackers? Am I complying with the different privacy laws? And am I using the data I capture ethically?

These three questions are often answered in different quarters. Cybersecurity is the responsibility of the chief information security officer (CISO), the legal issues of privacy are addressed by the general counsel and data governance is usually the preserve of the chief data officer (CDO), with the help of marketing teams.

This is why convergence can be so challenging. All these competing priorities and programs are in collision, despite trying to do the same thing with the same set of controls.

There’s a real tussle at the table, as senior executives from those responsible for security, privacy, data and technology all line up.

So how do you meet three different objectives with just one transformation agenda? A lot of organizations are dealing with this conundrum, and if you haven’t cracked it yet, you’re not alone.

And the stakes are sky high. The costs of cybercrime continue to grow exponentially – with US$2.9 million lost to cybercrime each minute, according to one estimate.

Increase in destructive attacks

59%

increase in destructive attacks in the last 12 months was reported by the respondents to EY’s latest Global Information Security.

Worryingly, respondents to EY's latest Global Information Security Survey reported a 59% increase in destructive attacks in the last 12 months. Despite this, only a quarter of CISOs could quantify how effective their organization’s cybersecurity spend was in managing their organization’s risks.

Meanwhile, the cost of data breaches is estimated to hit US$5 trillion by 2024, according to The Review (pdf). What was once a theoretical risk has become very real. Fall foul of the European Union’s General Data Protection Regulation and face a stiff penalty: 4% of turnover or €20 million. Breach China’s Cyber Security Law and risk your right to operate in Chinese market altogether.

Then there’s the Personal Data Protection Act in Singapore, the Notifiable Data Breach Scheme in Australia, and similar acts in Japan, Korea, Malaysia, Thailand and the Philippines – each with subtle differences and each demanding protection of personal data in that jurisdiction. Many large organizations across Asia-Pacific are having to restructure their technology footprints to comply.

Public perceptions of privacy, data and security are also changing rapidly. People are now acutely aware that personal data is not always private.
Richard J. Watson
EY Asia-Pacific Cybersecurity Risk Consulting Leader

Public perceptions of privacy, data and security are also changing rapidly. People are now acutely aware that personal data is not always private. Forrester research has found almost one quarter (23%) of adults in the United States are concerned about their data and are sceptical that companies – especially social networks and media firms – will keep their information secure1.

There’s also a less obvious operational cost: failing to tackle this issue as a company risks creating multiple systems and layers of duplication.

Sitting at the center of the convergence of privacy, security and data governance is a utopian zone and one simple idea: trust in data. The sweet spot is a place where data is well managed, where the privacy of customers and suppliers is protected, and where cyber threats are minimized. And the person responsible for all three is the CDO.

But sitting at the center of this convergence is a utopian zone and one simple idea: trust in data. The sweet spot is a place where data is well managed, where the privacy of customers and suppliers is protected, and where cyber threats are minimized. And the person responsible for all three is the CDO.

In 2012, just 12% of Fortune 1000 companies had a CDO on the payroll. By the end of 2018, this had skyrocketed to nearly 68%.

It’s easy to see why. With 250 billion terabytes of daily data creating a tsunami of information, CDOs play a critical role in the C-suite.

Of course, the task and role of the CDO is dependent on each organization’s ambitions, aspirations and digital agenda. However, it usually includes organization-wide governance, management and use of information, and the management of growing teams of data scientists and analysts.

Aspirations must be aligned – there’s no point having well-structured data if the business isn’t prepared to change its go-to-market strategy, or if the board and CEO aren’t in agreement.

Aspirations must be aligned across the organization – there’s no point having well-structured data if the business isn’t prepared to change its go-to-market strategy, or if the board and CEO aren’t in agreement. Everything must be lined up to get the biggest business benefit, achieve the organization’s digital transformation objectives and match the organization’s purpose.

Those companies prepared to be bold and brave are beginning to reap the rewards – and they aren’t all disruptive start-ups.

Take, for example, a supermarket that recognized digital transformation meant more than a good website, and now has dark warehouses optimized for picking products and a whole new business model.

Take, for example, a bank with a CEO encouraging employees to become “data scientists” by each asking questions that drive the data agenda.

And take, for example, a pizza delivery business that has reinvented itself as a tech company with everything from the ordering process to the visual guarantee now driven by digital.

It takes someone sitting at the centre of those overlapping circles to make this happen. CDOs may control data, but their role is more strategist than tech steward. CDOs can lead the discussion on digital ethics, drive action on privacy, oversee an effective information security strategy and ensure trust in data is embedded in every part of the organization.

Summary

Any digital transformation agenda requires the foundations of privacy, security and data governance to be aligned and in response, we’re witnessing a tussle at the table as those responsible for security, privacy, data and technology, all line up. What companies must start to realize, is it takes someone sitting at the center of this convergence to ensure these aspirations are aligned across the organization. And this is the CDO.

About this article

By Richard Watson

EY Asia-Pacific Cybersecurity Risk Consulting Leader

Cybersecurity leader in the EY Asia-Pacific region. Public speaker. Trusted advisor on cyber risk and digital trust. Golfer, traveler and dad.