Data is the lifeblood for many organizations. But, is that data an asset or a liability? This thought-provoking question should be considered by all IT managers and real thought given to what is collected and how it's managed. Scott Lowe explains.—————————————————————————————————————
I spend a lot of time reading and perusing the forums for various groups to which I belong. Last week, one question stood out from the others and really piqued my interest: Is data an asset or a liability?
I've always considered data to be an asset when it's use correctly and ethically. I've written previously about business intelligence efforts at Westminster College and, to be sure, data is critical to the success of any data-driven initiative! The data that we have in place is a treasure trove of information that, once leverage appropriately, will provide us with additional insight into our operations and student performance. The goal, ultimately, is to use data in ways that allow for faster, better decision making. Organizations across the board use data to help achieve their goals. Sales organizations mine their data in an effort to extract additional money from established customers. Credit companies make heavy use of data and trending to assess risk of individual debtors and then apply what they consider to be fair rates and fees based on this information. Again, in this case, the data is an asset in that it allows the company to make decisions based on real information.
All that said, I can see why the question was asked. After all, don't we all build moats around, install razor fences around and otherwise do everything in our power to protect the data we handle from falling into the wrong hands? There are countless stories out there about organizations that have, for one reason or another, lost control of their data and it's been leaked to the world, creating both technical and PR nightmares for those companies. In this sense, the data we protect is clearly a liability as it can provide those with less desirable intent with a motive to steal it.
What almost all of us have sitting in our data centers is a treasure chest that could be world its weight in gold on the black market. However, although that treasure can be leveraged by the organization to provide significant insight into the business, the rules governing access to that treasure must also be strict enough to keep the organization from being the next front page security breach story. In my opinion, after considering this question, I still believe that data is a major asset to the organization, but that asset must be protected or it can quickly turn into a liability.
Some (probably obvious) ways to protect your information:
- Collect and store only actionable information. At Westminster, as we develop new ways to collect information, we're asking ourselves a key question: "Is this information actionable today?" If the answer is no, we won't ask for the information. A "we might need it someday" answer is not a good enough reason to ask for information for two reasons - 1) It places additional burden on the person providing the information; 2) If there ever is a breach, it's just more information that we lose. If we ever do need to begin collecting that information, we will do so when a justifiable business need arises.
- Protect your information from both the inside and outside. You probably know that a huge number of security breaches are inside jobs and are not the work of cyberstalkers prowling through your electronic jungle. Of course, you do need strong protection from outside threats, but never overlook the obvious internal threats. Provide employees with the most minimal level of access they need to get their job done. While most employees are good, upstanding people, as soon as you run across one that doesn't fit this mold, you could be in a world of trouble.
- Test your backups. The failure of a backup can put an organization out of business. Remember, data is an asset, and is sometimes an organization's largest asset. Treat it as such and make sure that you can recover from a failure anywhere in the chain.
- Be complaint. Of course, there are a number of organizations for which data security standards are governed by regulation from either the government or from large entities, such as credit card companies. Make sure that you're following the rules. If you don't, your data (or, your failure to follow the rules) can quickly become a liability in the form of large fines.
Have a topic idea or question you'd like me to address or answer in a future post? Email me directly right here at firstname.lastname@example.org.
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at email@example.com.