C-level information technology (IT) executives (CIO, CISO, CTO, CDO, etc.) are responsible for two things: cybersecurity and data. If our organization isn’t secure, we stand to lose everything. And if we aren’t focused on turning raw data into useful information, the organization won’t make good decisions or take appropriate actions.
For this analysis, let’s focus on two of the key IT positions: the CDO (chief data officer) and CISO (chief information security officer). The CDO’s main mission is to help the organization use data more effectively. The CISO’s main mission is to protect the organization from technology-based loss. At first glance, it sounds like these two positions might have conflict. But in general, a modern CDO and CISO should be in complete agreement on several key points:
- Encryption: Data must be encrypted from the time it’s created until it is disposed of. Period. That means data in motion, being sent across networks or emailed. And it means data at rest, when it’s sitting on a disk drive, backup tape, or in a cloud. Once upon a time, CDOs might have argued this point with the CISO, because encryption was implemented in slow software and hardware and could be quite inconvenient — and the CDO want to see data used. But in 2023 there is simply no excuse for forgoing encryption.
- Role-based access: A person — or system — should have access to data based on their role in the organization. If you’re an accounts payable clerk in the widget division, you probably need access to widget-related orders, receiving documents, and invoices. But you don’t need access to thingamabob-related information, and you don’t need access to payroll data for either division. I don’t think you’ll find any disagreement between the CDO and the CISO on this point (although the CHRO may object to the extra work of maintaining “roles” along with job titles).
- Zero trust security: This concept extends that of role-based security by stating that no person or system is ever trusted by default. What that means is that every kind of access is blocked by default, and explicit permission must be granted for each kind of access (for example, CRUD: Create, Read, Update, Delete) to each data element in each situation. Remember our widget A/P clerk? In addition to role-based access, zero trust means that our clerk might have only “read” access to the three documents . . . or might have “update” access to them only if the invoice amount is less than $10K. See how powerful this can be? An A/P clerk with “create” access could create fake invoices and other documents and thus steal from the organization, but zero trust makes that much harder.
Note that zero trust can also apply to geography (if we have no offices in Russia, why is someone accessing data from there?) or location (wire transfers can only be initiated or approved from a known corporate office), or even day/time (if you’re not scheduled to be working a shift, why are you trying to start a machine remotely?).
Your CISO is probably — hopefully! — advocating for zero trust security across the organization. And the CDO should be in lockstep with the CISO as an advocate, because an effective zero-trust data security program makes it easy to allow legitimate uses of data while blocking all other uses. - Data retention: There are two main rules for data retention.
Rule 1: never delete any data before its time
Rule 2: delete all data the instant you can
It’s easy to understand why premature deletion is bad: Historical data can be a guide for analysis and decisions; it can be required by regulation or law; it can be needed to answer customer questions; and more. For these reasons, the CDO and CISO might not see eye-to-eye on how long to retain data — but your legal and compliance team usually owns the retention decision.
The other side of the coin — swift destruction — might not be as obvious: I mean, why not save it all? Ask your CDO and CISO. Your CDO will tell you that data has cost (storage, transmission, cataloging), and your CISO will tell you that data creates risk (disclosure, alteration). The best advice I can give is for the CDO and CISO to team up with the general counsel and head of internal audit, plus business operations executives, to formulate data retention policies — and then implement the policies. Remember to revisit these policies frequently, as business and regulatory demands on the organization do change.
Final Thoughts
Across my 30-plus-year IT career, I’ve been responsible for data and for security several times. Years ago, the CISO and CDO might have disagreed on many points, due mostly to technology limitations. In the acceleration economy, both roles are business enablers and they must work closely together to drive better decisions while mitigating risk.
This article has been updated since it was originally published on May 8, 2023.
