Data Governance in the Age of Cyber Threats
With a very good supply of great books and articles about cyber risk and governance, we don't need another 'buy this', 'implement this', and 'all will be okay' approach - we need something different as we enter a new scale of cyber security and defence problems. Recognising and understanding that our vulnerabilities will increase and become more visible is easy. While AI forces us to rethink many of our existing risk and governance models, do we, as leadership, need to think even further?
The easy part, and CISOs or CISROs get it, is that there is never sufficient budget or resources to do the job justice - but as a c-suite, we have to balance many conflicting demands. Innovative and creative individuals find vulnerabilities we did not know we had, and this inescapable cat-and-mouse dilemma keeps many of us awake at night. Budget and resources alone will not make us more secure or less vulnerable - but it helps.
The difficult part is breaking the system/cycle. We know that bigger, wider, and deeper walls don't work, and balancing security policy with usability creates dilemmas we wish we did not have to face but that is the role.
But while there is value in data, intelligence, intellectual property, and our assets, we remain a target. As we grow, so does our value, and, therefore, so does the likelihood of being a target. This, coupled with an ever-increasing number of aggrieved individuals (internal and external) having problems with our actions and activities, means that threats only ever increase.
However, as strategic thinkers, we need to consider what is beyond the immediacy of our AI vs. the hacker's AI. The new arms race we are in is easy to predict, and the majority of providers are focused on selling us more tools, gadgets, and processes that promise to solve a relentless problem. However, should we just accept this is the game, or should we start to think strategically about how to change the game or the rules?
Or should we start to think strategically about how to change the game or the rules?
Leadership skills are critically important in both sides of war, defence and attack. Leadership who has access to information, intelligence and data have the “star” influencing factor, which will change the outcome, favouring the side who has the best data and is able to act. Therefore, a substantial amount of leadership thinking, training and models were developed and extrapolated from our historical military experiences, coupled with the latest scientific ideals. Today, the “any intelligence data mantra” has become the foundation that drives the desire for “more data and information.” However, more data has become a rooted assumption that often remains unchallenged by old and new leadership; it is sort of sacrosanct. Anyone who suggests that less information, intelligence or data will lead to better decisions or outcomes is seen as a heretic or just stupid. It is obvious that more is always better - should be challenged.
Leadership skills are critically important in both sides of war, defence and attack. Leadership who has access to information, intelligence and data have the “star” influencing factor, which will change the outcome.
However, more data has become a rooted assumption that often remains unchallenged by old and new leadership; it is sort of sacrosanct.
Growth in the value and protection of “data” is one of the games unfolding alongside the systems in which the data rests. Protecting these two demands the majority of time, budget and resources. The system is the system, and our architecture and processes are constantly changing and being updated to prevent and overcome vulnerabilities. This is unavoidable. However, the ontology, purpose, value, providence, and attestation of the data we have are things we should probably go back to and debate again. When we started we did not need a data philosophy - but it might be a way to change the game.
There are three important emerging data philosophies.
1. We are only data: Data can and will be able to represent you in every detail. Your data will know better what you will do next than you do. We (humans) are really very simple rules-based engines (chemistry) - but the scale and scope of interactions make the simple look complex. But fundamentally, we are only data. This view was popularised in the mideighties by Eric Schmidt, the then-CEO of Google, who implied, “Google will know better what you will do next than you do
2. We are far more than data: No matter how much data can be gathered about me, it will never be able to understand or represent me. The complexity of how my DNA interacts with my gut microbiome and brain, which depends on my nutrition, means I don't know what I will do next. We are far more than data. This view has grown in popularity as we discover more about the actual scientific complexity of the human body/mind and what makes us think what we think in the context and environment in which we live.
3. The agnostic: Data philosophy is rubbish. Data is a tool. Data is oil, sunshine, and labour- it is just a thing to be exploited and manipulated by us. We are in control. Data has no meaning; wisdom is a label and is no more than more data. Note: the idea that data will tell you what to do is not a philosophy or ontology but a capability. You can always bend data to get it to give the direction you want. The agnostic believes data will confirm what they want to do. You are actually agnostic to the risks, consequences and impact - just like the extraction and use of oil.
Note: There are about eight data philosophies, but this discussion only covers three.
Putting these philosophies into the content of Cyber Risk & Governance. If we, as a board and senior executive leadership team, believe that:-
Humans are no more than data, then we need as much data as possible, and we need consistency across policies for privacy, consent, exploitation, and use. We need to invest in protecting this asset with substantial budget and commitments beyond anything we have done to date.
Humans are far more than data, so we need as little data as possible. We need to invest in transparency and other aspects to help the market see that we minimise data and delete it as soon as it is not relevant. We also have systems to protect the user from ever being identified
We are agnostic, then why are we worried about data, bais, attestation, and anything that determines whether the data is valid, true, or trustworthy? Data is just a tool for us to manipulate and deliver the results and outcomes we want. Buy the data we want when we need it and keep everything else to a minimum, such that we are protected but there is no/ minimum value in the data we have.
The question the CEO should ask
Do we want to use the shift to AI to change the game and rules, or do we just see it as a way to scale up all the problems we currently have?
He is the Chief Digital Officer (CDO) of Digital20, based in London, UK. He is a Board Trustee of the Institute Of Neurodiversity ION. He is a Visiting Lecturer in Al and Ethics at The London School of Economics and Political Science (LSE); and Visiting Fellow, Henley Business School.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
About Publisher
Bringing a Silent Revolution through the Boardroom
Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.
View All BlogsMasterclass for Directors
Categories