Nurturing Data Governance for Cybersecurity and AI

Towards the middle of the 2000s, I started getting my exposure in Data Governance. This began as I was studying and practising to be certified as an Oracle Certified Professional (OCP) circa 2002-2003. My understanding of the value of data and databases in the storage world, now better known as data infrastructure, grew and expanded quickly. I never gotten my OCP certification because I ran out of money investing in the 5 required classes that included PL/SQL, DBA Admin I and II, and Performance Tuning. My son, Jeffrey was born in 2002, and money was tight.

The sentiment of data governance of most organizations I have engaged with at that time, and over the next course of almost 18 years or so, pre-Covid, the practice of data governance was to comply to some regulatory requirements. 

All that is changing. Early 2024, NIST released the second version of their Cybersecurity Framework (CSF). CSF 2.0 placed Data Governance in the center of the previous 5 pillars of CSF 1.1. The diagram below shows the difference between the versions.

High level change of Cybersecurity Framework 1.1 to 2.0.

Ripples like this in my data management radar are significant, noticeable and important to me. I blogged about it in my April 2024 blog “NIST CSF 2.0 brings Data Governance into the Light“.

There is more to Compliance

The reasons to enact and enable Data Governance in an organization just to comply to certain required regulations have to be revisited in this new era where cybersecurity challenges and AI opportunities are aplenty. Thus, this blog is to present and expand the awareness and interest in the field of Data Governance because we now have a golden chance to build upon the “just to comply” justification. I look at 2 more targeted reasons for a Data Governance culture:

  • A Data Management culture to fortify Cybersecurity Defenses
  • A Data Quality culture to give prominence to accentuate the business value of AI

Let’s expand on both.

Ransomware is a Data Management problem

I maintain my belief that technology alone is not potent against the ransomware threat. I wrote about this in my blog “A Data Management culture to combat Ransomware” a year ago. For the purveyors of cybersecurity technology solutions in the market, pushing EDR tech, firewalls, web security gateways, VPNs, etc., etc., promotes the shiny new tech would make many customers enthralled and excited. For a professional and practitioner speaking that data management and data governance frameworks and processes is probably the most boring thing in the world. They don’t sell.

And yet, the ransomware damage grows each year. Bigger, nastier, more devastating than the previous years. Which is why I am maintaining my belief that throwing shiny techs (they are AI-driven now!) at the ransomware threat has been impotent.

Data Governance framework in a organization is a disciplined approach to how data is defined, organized, structured, used within and without as part of the organization. Data Management is the implementation and the practical deployment and operations of the Data Governance tenets of the organization. You can read about it here in the TechTarget Data Governance definition here.

Fortifying Data

Everyone who handles data should know the data intimately. This means the presence of new data from various sources must be identified, attached with the definition of the data its meaning to the organization’s data owners and data processors, categorized in meaningful taxonomy as data assets with security tagging, clearance and priorities, and granting different access controls and roles when handling and processing the data within, and also outside the organization. Data is in constant flux, in a journey, in many journey as data pipelines to different processing stations, different use cases and in many data lifecycles.

The people and processes factors are just as important as the cybersecurity techs that organizations invest in. Only with a data management culture will we be able to fortify data to combat cybersecurity challenges, especially ransomware.

Data Governance is the blueprint of Data Security, and Data Management is the enforcer of that blueprint.

The diamond in the Garbage

There is a deluge of data. All kinds of data. Good and bad.

My friend, Dez Blanchfield, the proprietor of Elnion, wrote a very fitting article last week titled “Data Liability awareness: Understanding the implications of Dark Data in your business” relative to the topic of Data Governance. Dark data is real because I have seen it happening often and happening for decades. I was Interica’s business development manager for Asia Pacific focusing on subsurface data management, and in Oil & Gas upstream, this was the OG (Original Gangster, not Oil & Gas) of Big Data.

How do you find the diamonds amongst the sea of data? Where are the pockets of trapped petroleum and natural gases in the garbage of digital noises in the subsurface?

Seismic interpretation is the tedious and expensive set of processes and operations that focuses on finding the diamonds, the black gold. The precious black liquid from the ground and under the seabeds. And seismic interpretation relies on quality data.

Thus, we juxtapose the same set of disciplines and approaches to create value in AI projects. The notion of GIGO (Garbage In, Garbage Out) can be turned around with a positive note of Quality Data In, AI Success. And Data Governance is the foundation to prepare and enrich the data for AI.

Summation for my Data Governance case

I remain steadfast to raise the need for Data Governance. It is no longer “just to comply” because the calling of Data Governance in this new data era should be a clarion call. The opportunity to build a competitive advantage to the business both in cybersecurity terms and in AI terms is real. Time to get cracking with Data Governance.

Tagged , , , , , , , , , . Bookmark the permalink.

About cfheoh

I am a technology blogger with 30 years of IT experience. I write heavily on technologies related to storage networking and data management because those are my areas of interest and expertise. I introduce technologies with the objectives to get readers to know the facts and use that knowledge to cut through the marketing hypes, FUD (fear, uncertainty and doubt) and other fancy stuff. Only then, there will be progress. I am involved in SNIA (Storage Networking Industry Association) and between 2013-2015, I was SNIA South Asia & SNIA Malaysia non-voting representation to SNIA Technical Council. I currently employed at iXsystems as their General Manager for Asia Pacific Japan.

2 Responses to Nurturing Data Governance for Cybersecurity and AI

  1. Pingback: Random Short Take #97 | PenguinPunk.net

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.