Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
    • By Category
      • AI/Hyperautomation
      • Cloud/Cloud Wars
      • Cybersecurity
      • Data
    • By Interest
      • Leadership
      • Office of the CFO
      • Partners Ecosystem
      • Sustainability
    • By Industry
      • Financial Services
      • Healthcare
      • Manufacturing
      • Retail
    • By Type
      • Courses
        • Understanding the New Executive Buying Committee
      • Guidebooks
      • Digital Summits
      • Practitioner Roundtables
    • By Language
      • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
Twitter Instagram
  • CIO Summit
  • Summit NA
  • Dynamics Communities
Twitter LinkedIn
Acceleration Economy
  • Home
  • Cloud Wars
  • Analyst Content
        • By Category
          • AI/Hyperautomation
          • Cloud/Cloud Wars
          • CybersecurityThe practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.
          • Data
        • By Interest
          • Leadership
          • Office of the CFO
          • Partners Ecosystem
          • Sustainability
        • By Industry
          • Financial Services
          • Healthcare
          • Manufacturing
          • Retail
        • By Type
          • Courses
            • Understanding the New Executive Buying Committee
          • Guidebooks
          • Digital Summits
          • Practitioner Roundtables
        • By Language
          • Español
  • Vendor Shortlists
    • All Vendors
    • AI/Hyperautomation
    • Cloud
    • Cybersecurity
    • Data
  • What we do
    • Advisory Services
    • Marketing Services
    • Event Services
  • Who we are
    • About Us
    • Practitioner Analysts
  • Subscribe
    • Login / Register
Acceleration Economy
    • Login / Register
Home » How and Where CISOs and CDOs Should Agree on Cybersecurity and Data Management Points
Data Modernization

How and Where CISOs and CDOs Should Agree on Cybersecurity and Data Management Points

Wayne SadinBy Wayne SadinMay 8, 2023Updated:May 12, 20235 Mins Read
Facebook Twitter LinkedIn Email
Share
Facebook Twitter LinkedIn Email

C-level information technology (IT) executives (CIO, CISO, CTO, CDO, etc.) are responsible for two things: cybersecurity and data. If our organization isn’t secure, we stand to lose everything. And if we aren’t focused on turning raw data into useful information, the organization won’t make good decisions or take appropriate actions.

For this analysis, let’s focus on two of the key IT positions: the CDO (chief data officer) and CISO (chief information security officer). The CDO’s main mission is to help the organization use data more effectively. The CISO’s main mission is to protect the organization from technology-based loss. At first glance, it sounds like these two positions might be in conflict. But in general, a modern CDO and CISO should agree completely on a number of key points:

  1. Encryption: Data must be encrypted from the time it’s created until it is disposed of. Period. That means data in motion, being sent across networks or emailed. And it means data at rest, when it’s sitting on a disk drive, backup tape, or in a cloud. Once upon a time, CDOs might have argued this point with the CISO, because encryption was implemented in slow software and hardware and could be quite inconvenient — and the CDO want to see data used. But in 2023 there is simply no excuse for forgoing encryption.
  2. Role-based access: A person — or system — should have access to data based on their role in the organization. If you’re an accounts payable clerk in the widget division, you probably need access to widget-related orders, receiving documents, and invoices. But you don’t need access to thingamabob-related information, and you don’t need access to payroll data for either division. I don’t think you’ll find any disagreement between the CDO and the CISO on this point (although the CHRO may object to the extra work of maintaining “roles” along with job titles).
  3. Zero trust security: This concept extends that of role-based security by stating that no person or system is ever trusted by default. What that means is that every kind of access is blocked by default, and explicit permission must be granted for each kind of access (for example, CRUD: Create, Read, Update, Delete) to each data element in each situation. Remember our widget A/P clerk? In addition to role-based access, zero trust means that our clerk might have only “read” access to the three documents . . . or might have “update” access to them only if the invoice amount is less than $10K. See how powerful this can be? An A/P clerk with “create” access could create fake invoices and other documents and thus steal from the organization, but zero trust makes that much harder.

    Note that zero trust can also apply to geography (if we have no offices in Russia, why is someone accessing data from there?) or location (wire transfers can only be initiated or approved from a known corporate office), or even day/time (if you’re not scheduled to be working a shift, why are you trying to start a machine remotely?).

    Your CISO is probably — hopefully! — advocating for zero trust security across the organization. And the CDO should be in lockstep with the CISO as an advocate, because an effective zero-trust data security program makes it easy to allow legitimate uses of data while blocking all other uses.
  4. Data retention: There are two main rules for data retention.

    Rule 1: never delete any data before its time
    Rule 2: delete all data the instant you can

    It’s easy to understand why premature deletion is bad: Historical data can be a guide for analysis and decisions; it can be required by regulation or law; it can be needed to answer customer questions; and more. For these reasons, the CDO and CISO might not see eye-to-eye on how long to retain data — but your legal and compliance team usually owns the retention decision.

    The other side of the coin — swift destruction — might not be as obvious: I mean, why not save it all? Ask your CDO and CISO. Your CDO will tell you that data has cost (storage, transmission, cataloging), and your CISO will tell you that data creates risk (disclosure, alteration). The best advice I can give is for the CDO and CISO to team up with the general counsel and head of internal audit, plus business operations executives, to formulate data retention policies — and then implement the policies. And remember to revisit these policies frequently, as business and regulatory demands on the organization do change.
Insights into the Why and How of Data and Business Modernization featured image
Guidebook: The Why and How of Data and Business Modernization

Final Thoughts

Across my 30-plus-year IT career, I’ve been responsible for data and for security several times. Years ago, the CISO and CDO might have disagreed on many points, due mostly to technology limitations. In the acceleration economy, both roles are business enablers and they must work closely together to drive better decisions while mitigating risk.


Looking for more insights into all things data? Subscribe to the Data Modernization channel:

Data Modernization Channel Logo

C-Suite CISO Compliance data featured risk Risk Management zero trust
Share. Facebook Twitter LinkedIn Email
Analystuser

Wayne Sadin

CIO/CTO/CDO | CEO/Board Advisor
Independent Director

Areas of Expertise
  • Board Strategy
  • Cybersecurity
  • Digital Business
  • Website
  • LinkedIn

Wayne Sadin, an Acceleration Economy Analyst focused on Board Strategy, has had a 30-year IT career spanning Logistics, Financial Services, Energy, Healthcare, Manufacturing, Direct-Response Marketing, Construction, Consulting, and Technology. He’s been CIO, CTO, CDO, advisor to CEOs/Boards, Angel Investor, and Independent Director at firms ranging from start-ups to multinationals.

  Contact Wayne Sadin ...

Related Posts

How to Implement Zero Trust For Remote Endpoints in the Enterprise

May 28, 2023

Innovation Profile: How Generative AI Enhances ServiceNow Platforms to Enable Better Customer Experiences

May 26, 2023

Innovation Profile: How IBM watsonx Helps Organizations Manage Data, AI, and Governance

May 26, 2023

Innovation Profile: How the Endor Labs Platform Leverages Generative AI for Cybersecurity

May 26, 2023
Add A Comment

Comments are closed.

Recent Posts
  • How to Implement Zero Trust For Remote Endpoints in the Enterprise
  • How Celonis Makes Process Mining More Accessible: Embracing Generative AI, Partners
  • C3 AI’s Thomas Siebel on How Generative AI Applies to Business Apps, Impacts Workers
  • Innovation Profile: How Generative AI Enhances ServiceNow Platforms to Enable Better Customer Experiences
  • Innovation Profile: How IBM watsonx Helps Organizations Manage Data, AI, and Governance

  • 3X a week
  • Analyst Videos, Articles & Playlists
  • Exclusive Digital Business Content
This field is for validation purposes and should be left unchanged.
Most Popular Guidebooks

The Ethical and Workforce Impacts of Generative AI

May 26, 2023

Co-Creation and Growth With Professional Services

May 24, 2023

The Business Impact and Opportunity of Generative AI

May 16, 2023

Healthcare Industry Clouds

May 10, 2023

Advertisement
Acceleration Economy
Twitter LinkedIn
  • Home
  • About Us
  • Privacy Policy
  • Get In Touch
  • Advertising Opportunities
  • Do not sell my information
© 2023 Acceleration Economy.

Type above and press Enter to search. Press Esc to cancel.

  • Login
Forgot Password?

Connect with

Login with Google Login with Windowslive

Lost your password? Please enter your username or email address. You will receive a link to create a new password via email.