NIST CSF 2.0 brings Data Governance into the light

In the past weekend, I watched a CNA Insider video delving into Data Theft in Malaysia. It is titled “Data Theft in Malaysia: How your personal information may be exploited | Cyber Scammed”.

You can watch the 45-minute video below.

Such dire news is nothing new. We Malaysians are numbed to those telemarketers calling and messaging to offer their credit card services, loans, health spa services. You name it; there is something to sell. Of course, these “services” are mostly innocuous, but in recent years, the forms of scams are risen up several notches and severity levels. The levels of sophistication, the impacts, and the damages (counting financial and human casualties) have rocketed exponentially. Along with the news, mainstream and others, the levels of awareness and interests in data, especially PII (personal identifiable information) in Malaysians, are at its highest yet.

Yet the data theft continues unabated. Cybersecurity Malaysia (CSM), just last week, reported a 1,192% jump of data theft cases in Malaysia in 2023. In an older news last year, cybersecurity firm Surf Shark ranked Malaysia as the 8th most breached country in Q3 of 2023.

Battling data thefts is not only about technology.

I have always maintained that battling ransomware is not just a cybersecurity responsibility. There is a funny video online (see below) about employing a security check at the stadium.

Everybody gets in, not because there isn’t a security in place. It is because the processes, the procedures and the policies about implementing the required security, are not there. Thus, from my point of view, cybersecurity, its technology and its implementations, should be part of the organization’s data management culture. The culture of data management must be in place to reduce and minimize how these organizations secure and protect customers’ and employees’ data.

Instilling a Data Governance framework

What is Data Governance? In a few bullet points, I gather that Data Governance as policies, procedures and processes that,

• Defines who owns the data in the organization.
• Defines the permissions and access controls to be allowed to then data when assigned the individual inside (and outside) the organization.
• Defines the confidentiality, integrity, availability and security mechanisms around data of the organization.
• Defines the data protection and data privacy of the data in the organization.
• Defines the alignment and compliance of the data of the organization to internal and external regulations and laws.
• Defines data usage, retention, and ownership of the data throughout the data lifecycle in the organization.

Many organizations, especially in the medium and large enterprise categories, I have engaged throughout my career in the Asia region lacked data governance. They just say they have a data management culture, but I have seen in occasions that the data governance piece is glaringly tepid. In the end, data management without data governance is just like a house without a blueprint. You can still build the house, but it probably lacks the required foundation to make the house, a livable and living house.

Some anecdotes of mine: “Oh, so-and-so has the data“. “Yes, everybody can see the data“. “Yes, we attached the salary details of our employees in our email to the CFO to review“. The last one happened to me twice while employed at a very large global company, in a nicely formatted, for all to see, Excel spreadsheet, because my email name was rather similar to the name of the Finance Manager in Malaysia.

A revamped NIST Cybersecurity Framework (CSF)

I have been a follower of the NIST Cybersecurity Framework (CSF) for a number of years. After dwelling in version 1.1 since 2018, NIST announced the new Cybersecurity Framework (CSF) version 2.0 in February 2024. I was duly excited. The new framework is shown below:

Among various updates and additions to CSF 2.0, the Govern pillar is the most prominent piece in the modernization of the CSF in data management, and cybersecurity best practices. This pushes forward the vital importance of Data Governance, encircling all the other 5 pillars of Identify, Detect, Protect, Respond and Recovery. Data Governance is now the heart of CSF 2.0. CSF continues to advise many organizations as they navigate the treacherous and dangerous waters in the borderless, digital world.

Data Governance at the center of TRUST

What outcome do we get from Data Governance? In my opinion, it is Trust in the organization. It is trust in the data that it sources, procures, shares, stores, as the data lives in its life cycle in the organization. In a noisy, and dangerous world, the presence of Truth is getting rarer. Misinformation, disinformation, fake data are now part of our daily lives, and getting more and more pervasive. Our own personal data is at risk and are easily stolen and compromised. On a global scale, societies are in crisis.

Thus, I call upon all organizations to look into data governance. Data Governance plays an integral part of data in the handling and the management of the data in an organization. Building trust in the data from bottom to the top, from top to the bottom, left and right enables the right consistency, relevancy, timeliness and confidence in the data in the organization. Data Governance is formalized and organized yardstick and rudder to ensure that the organization navigates the core values correctly, and with high standards. It ensures there is compliance to the standards be it regulatory ones in the organization’s industries or the ones that the organization performs to build trust in the brand.

When done right, Data Governance builds the DIKW (data, information, knowledge, wisdom) culture. Data Governance must be at the center of Trust of the data in the organization. We must retain Trust in the data, throughout the organization. Data Governance leads the way.