Enterprise Software

Is data an asset or a liability?

Data is the lifeblood for many organizations. But, is that data an asset or a liability? This thought-provoking question should be considered by all IT managers and real thought given to what is collected and how it's managed. Scott Lowe explains.

Data is the lifeblood for many organizations.  But, is that data an asset or a liability?  This thought-provoking question should be considered by all IT managers and real thought given to what is collected and how it's managed.  Scott Lowe explains.

—————————————————————————————————————

I spend a lot of time reading and perusing the forums for various groups to which I belong.  Last week, one question stood out from the others and really piqued my interest: Is data an asset or a liability?

I've always considered data to be an asset when it's use correctly and ethically.  I've written previously about business intelligence efforts at Westminster College and, to be sure, data is critical to the success of any data-driven initiative!  The data that we have in place is a treasure trove of information that, once leverage appropriately, will provide us with additional insight into our operations and student performance.  The goal, ultimately, is to use data in ways that allow for faster, better decision making.  Organizations across the board use data to help achieve their goals.  Sales organizations mine their data in an effort to extract additional money from established customers.  Credit companies make heavy use of data and trending to assess risk of individual debtors and then apply what they consider to be fair rates and fees based on this information.  Again, in this case, the data is an asset in that it allows the company to make decisions based on real information.

All that said, I can see why the question was asked.  After all, don't we all build moats around, install razor fences around and otherwise do everything in our power to protect the data we handle from falling into the wrong hands?  There are countless stories out there about organizations that have, for one reason or another, lost control of their data and it's been leaked to the world, creating both technical and PR nightmares for those companies.  In this sense, the data we protect is clearly a liability as it can provide those with less desirable intent with a motive to steal it.

What almost all of us have sitting in our data centers is a treasure chest that could be world its weight in gold on the black market.  However, although that treasure can be leveraged by the organization to provide significant insight into the business, the rules governing access to that treasure must also be strict enough to keep the organization from being the next front page security breach story.  In my opinion, after considering this question, I still believe that data is a major asset to the organization, but that asset must be protected or it can quickly turn into a liability.

Some (probably obvious) ways to protect your information:

  • Collect and store only actionable information. At Westminster, as we develop new ways to collect information, we're asking ourselves a key question: "Is this information actionable today?" If the answer is no, we won't ask for the information. A "we might need it someday" answer is not a good enough reason to ask for information for two reasons - 1) It places additional burden on the person providing the information; 2) If there ever is a breach, it's just more information that we lose. If we ever do need to begin collecting that information, we will do so when a justifiable business need arises.
  • Protect your information from both the inside and outside. You probably know that a huge number of security breaches are inside jobs and are not the work of cyberstalkers prowling through your electronic jungle. Of course, you do need strong protection from outside threats, but never overlook the obvious internal threats. Provide employees with the most minimal level of access they need to get their job done. While most employees are good, upstanding people, as soon as you run across one that doesn't fit this mold, you could be in a world of trouble.
  • Test your backups. The failure of a backup can put an organization out of business. Remember, data is an asset, and is sometimes an organization's largest asset. Treat it as such and make sure that you can recover from a failure anywhere in the chain.
  • Be complaint. Of course, there are a number of organizations for which data security standards are governed by regulation from either the government or from large entities, such as credit card companies. Make sure that you're following the rules. If you don't, your data (or, your failure to follow the rules) can quickly become a liability in the form of large fines.
—————————————————————————————————————

Have a topic idea or question you’d like me to address or answer in a future post?  Email me directly right here at trfeedback@slowe.com.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

4 comments
tonyc
tonyc

Intriguing post that got me thinking. At the moment I am trying to return some structure to the way our organisation has stored business content (according to personal whim in many cases). We can't throw anything away in case it is an important record, but equally we can't easily separate the gold from the dross. It's not just the security issue that makes it a liability; there is disk capacity, backup, management and the time it takes to retrieve (or recreate) information.

adams_john73
adams_john73

Interesting post with some good points. However, the author is greatly mistaken on two key points. The first, store only immediately actionable data, and secondly, give users only the data they need to complete their jobs. I have been in IT for 13 years as a database expert and I am also an accountant. As anyone who is involved in scientific research knows, there are often traits about data that do not become apparent until enough data is collected to notice statistical significance. Failure to collect this additional data, when it is easy to do so at the beginning, results in lost opportunity and insight into your business. The second point, give only users data they need often results in additional lost opportunities because IT takes on the role of determining what data is valuable to the user. The IT department rarely has the knowledge needed to determine what data is needed and what is not. It has been my experience that time lobbying IT staff to provide data and having to give extensive justification to some IT admin who doesn't understand the difference between COGS (cost of goods sold) and WIP (work in progress) is a completely non-value-added activity. It has been my goal as a database expert to provide the user with the maximum amount of data and to let them determine what is significant.

johnfranks999
johnfranks999

I like to pass along things that work, in hopes that good ideas make their way back to me. As CIO, I'm always looking for ways to help my business and IT teams. Check your local library: A book that is required reading is I.T. WARS: Managing the Business-Technology Weave in the New Millennium. It has a great chapter on Content Management and its implementation. That chapter is great if you?re struggling with your organization?s definition of CM ? particularly if Business is having a difficult grasp of it ? and the chapter helps any organization to the proper understanding and sizing of it for best return on investment. It even uses CM vendor and product selection as a repurposable model for selection of solutions partners and products for other areas of IT/Business. The author, David Scott, has an interview here that is a great exposure: http://businessforum.com/DScott_02.html The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome through poor content management, or lack of a CM system. In particular, it has helped us to understand that, while various systems of data security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.

Scott Lowe
Scott Lowe

These are very good points. When it comes to scientific data and its like, I agree with you... collect as much as possible and figure out how to use it. However, when collecting personal information about customers, we have to keep in mind what happens if that datais stolen (the liability side) vs. its applicable use right now (the asset side). If it's not as asset, and we can't figure out yet how it could be an asset (as in, we're not using it), then all that's left is the liability side of the equation. On the role of IT in deciding who sees what: I think that's probably dependent on the organization and the regulations under which that organization works. Here, I think we do a pretty good job at letting people determine what they need access to, within boundaries. We're not, for example, opening up the payroll system to the folks in student life.