Role of a CDO Managing Data Breaches
By James Howard, Former Chief Data Officer and Chief Privacy Officer for a "Big 4" Professional Services Firm
In the span of a week in December, the world saw data breaches affecting 600 million people. For perspective, that’s more than every man, woman and child in the US, Russia, Canada, Britain and Australia combined. Data protection experts recognize the challenges in implementing controls proportional to risk, and balancing every data initiative with the right set of controls. But incidents still happen.
Chief Data Officer (CDO) is the executive who looks at the full picture around both data use and data risk. Since data is at the center of every breach, the CDO is positioned well as a key executive to work with the CIO and CISO to manage the risk of breach as well as to navigate the aftermath, protecting the organization’s brand.
Before a Data Incident
In the normal course of business, the CDO should be driving the company’s data strategy and vision, and maintaining an inventory of critical data assets. The inventory should include key meta-data -- ownership, obligations, location, permissions, value, uses, etc -- and insight into how data is used. This insight can help determine - among other things - whether all data being collected and stored is truly necessary, or whether some can be disposed of -- which is critical to managing risk of breach.
The inventory also forms an important part of a periodic risk analysis. The risk analysis considers threats, vulnerabilities, obligations and relative value of the data to conclude on appropriate protections. This helps answers the question, “what could go wrong?” or “how bad is bad?” taking into account behavior of personnel, company culture, key business activities and positioning of the company in the marketplace. This analysis serves to fine-tune the portfolio of controls to be employed, ranging from policy, to business practices, to training, to administrative and technical controls, as well as where residual risks have to be accepted, insured against, or perhaps transferred elsewhere.
"The CDO can help analyze what went wrong, by having an understanding of the processes, policies and controls around data use"
Based on their insight, the CDO provides business requirements to the CIO and CISO, driving appropriate technical measures to provide protections. Depending on the sophistication of the organization, the requirements could range from simply providing data classifications, to which the CISO or CIO react, all the way to explicit requirements for, say, encryption and access control.
In addition to the CIO and CISO, the CDO is connected with the Board of Directors, senior executive leadership and internal audit to keep them aware of how the company is using data as well as the risks and controls. This will allow them to understand the risk/benefit around data use, and weigh in whether the business opportunities related to data use are sufficiently compelling. The CDO also maintains relationships with the CPO and counsel to understand the legal aspect of obligations, and obtain sign-off on the sufficiency of the compliance programs. The CDO should understand their regulators’ expectations and requirements around handling data, making sure their protection controls meet regulator expectations. These steps are key, because most breaches -- especially where regulated data is involved -- will result in legal or regulatory exposure, and having transparency with counsel and regulators with streamline investigations.
During a Data Incident
Sometimes, a target organization is aware of a data incident as it’s occurring. Many companies have processes to respond in this event, which may focus on containment, interruption, or other priorities (allowing an attack to proceed in a controlled way may help law enforcement with their investigation).
The CIO and CISO are usually and the center of these activities. The CDO should be available to help answer questions about the nature and location of data that may be accessed, as well as to begin preparing post-incident planning. Some stakeholders (e.g., Federal Government) have explicitly defined time frames to report data incidents, and the CDO can get ahead of these requirements.
Following a Data Incident
Companies should have a crisis management plan that includes defined procedures to be followed in the event of a data incident. Stakeholders include senior leadership, legal counsel, the head of security, the CIO and CISO, and often on-call cyber security consultants. The purpose is to understand what happened, how it happened, the perpetrators, what data was affected, overall impact and repair, and how to prevent reoccurrence.
The CDO can help analyze what went wrong, by having an understanding of the processes, policies and controls around data use. The CDO can help assess the impact of the loss - defined in terms of asset value, competitive impact, brand damage or regulatory exposure.
This analysis concludes with a reassessment and remediation of processes and controls.
Most corporate leaders recognize the near-inevitability of a data breach. Companies are appointing CDO’s to try and coordinate the activities around the leverage of data, and increasingly, they are assigned responsibility for assessing and managing risk around data. The CDO can partner with the CISO and CIO to plan, emphasizing transparency and engaging appropriate stakeholders, to improve the information management and protection posture for the organization.