The tension between the CDO and the CISO: The balancing act of data exploitation versus protection

By Alasdair Anderson, Vice President at Protegrity.

  • 5 months ago Posted in

Data is the most valuable resource for the global enterprise. For any company wanting to remain relevant in today’s competitive business landscape, data needs to be at the centre of every business decision, allowing the C-suite to review initiatives, make real-time decisions and if necessary reverse actions. A quick response fuelled by real data insights will power and improve the customer experience and product offerings while driving lower prices through better efficiency. Ultimately, this will improve the bottom line and deliver successful outcomes for many organisations.

However, to unlock the true value of data, it is equally important that organisations ensure that confidential data is always secure. To achieve this, the Chief Information Security Officer (CISO), who acts as the gatekeeper to data to ensure it is compliant and secure, and the Chief Data Officer (CDO), who aims to unlock and exploit data, have different and competing priorities, yet they must be able to work together towards a common goal to achieve the strategic objectives of the organisation and deliver great customer and business outcomes. There are significant benefits to be had when these two role holders work together and huge drawbacks when they don’t. 

The value of data

Data is a critical resource for organisations, helping to transform the overall customer experience and deliver innovation that exceeds expectations. According to global research findings from Splunk, companies that use data for innovation, improving business resilience and disrupting the competition, gain a 9.5% profit edge.

This data-driven innovation is based on three key practices, namely collecting data, using data analysis techniques, and leveraging data in decision-making. However, with an estimated 463 exabytes of data expected to be created daily by 2025, which is more than the observable stars in our universe, data also presents a significant challenge for businesses. This is particularly true in terms of protecting it.

When data is not protected

While data delivers a significant competitive advantage to companies when used appropriately, without the right data security measures in place it can be misused. This not only erodes customers’ trust but also puts the company at risk of having to pay penalties and fines for non-compliance with data security regulations.

As data teams aim to extract and exploit data for the benefit of the organisation, it is important to note that not all data is equal. As such a risk-based approach must be in place to limit access to sensitive data across the organisation.

In doing this the IT system will have access to the full spectrum of data to join and process the information, run through models and identify patterns, but employees rarely need access to all this detail. For example, when booking a flight, an airline will acquire a lot of personal information, which isn’t necessary to share across the organisation. To improve customer experiences the customer service teams, such as the onboarding staff, would need the customer’s name to greet them when they arrive, but the analytics team would need additional information to develop in-depth insights into customer behaviour, track customer activity and develop ways to improve the customer experience and loyalty.


The value of data security

Enterprise data security is responsible for protecting an organisation’s information from unauthorised access to ensure its digital integrity. This includes paying special attention to sensitive data like Personally Identifiable Information (PII), Personal Health Information (PHI), and Intellectual Property (IP), and enabling data accessibility for authorised users.  

At the same time, various legislations and regulations dictate how personal data must be handled, such as the General Data Protection Regulation (GDPR) and Digital Operational Resilience Act (DORA), and companies that do not comply risk stiff penalties, fines and even worse, losing customer trust. As such, security teams have an important role to play in ensuring the organisation complies with the legal requirements and also meets customers’ expectations in terms of keeping their data safe and secure.

When security locks the data

With regulations becoming more stringent and breaches more common, security teams are under pressure to keep controls in place to secure data. In this environment, it is no wonder that some security teams have taken drastic measures to ensure maximum data protection and minimise the risk of non-compliance to data regulations. Aligned with the saying “If the only tool you have is a hammer, you tend to see every problem as a nail” some security teams have restricted all access to data and others have deleted all customer data from company systems to completely remove the risk.

While this may seem like the safest option to comply with regulations, there are implications with this approach. Most notably, customer experience is negatively impacted and, as customers have come to expect a high level of personalisation as part of the engagement, they may not appreciate being completely anonymous and treated like every other customer and may seek a better, more personalised experience elsewhere.

Overcoming conflicting policies

To overcome the conflict of data exploitation versus security and deliver a customer experience that meets customer expectations, data teams and security teams need to work together to achieve a common purpose and align on the culture. To achieve this each team needs to listen to and understand their respective needs and then identify solutions that work towards helping to make the other team successful.

Once this is achieved, data can be segmented according to risk with access controls in place. Anonymised data should remove direct identifiers (names, addresses) and indirect identifiers (workplace, age) so that they cannot be combined to reveal an individual’s identity. To further secure data, it should be anonymised using tokenisation or pseudonymisation. This not only limits access to sensitive data but also helps companies to adhere to regulations.

As data continues to transform from being an IT issue to a valuable source of intelligence, companies that work to remove the competing tension between the CISO and the CDO will gain a competitive advantage, seeing their customers benefit from better experiences that create further opportunities.

By Francesca Colenso, Director of Azure Business Group at Microsoft UK.
By Andy Baillie, VP, UK&I at Semarchy.
By Kevin Kline, SolarWinds database technology evangelist.
By Vera Huang, Sales Director, Data Services at IQ-EQ.
By Trevor Schulze, Chief Information Officer at Alteryx.
By Jonny Dixon, Senior Project Manager at Dremio.
By James Hall, UK Country Manager, Snowflake.
By Barley Laing, the UK Managing Director at Melissa.