Around the world, many businesses fail because they’re not focused on what matters most – their data. Managing and protecting data in a meaningful way requires a slew of solutions, policies and procedures, all of which must form part of a data-centric strategy. Managing and protecting data is not only complex, but expensive in an ever-evolving business and technology landscape, with burgeoning data volumes, and one that has been made even more difficult by the accelerated work from home, cloud and digital transformation initiatives hurried in during the pandemic.
One thing is clear. Changes are impossible to keep up with unless your data protection and management initiatives constantly evolve alongside the business.
Gartner’s hype cycle maps out a common pattern of five phases that a new technology goes through – namely technology trigger, peak of inflated expectations, trough of disillusionment, slope of enlightenment, and plateau of productivity. According to Andrew Jackson, Group CISO for Performanta: “We have this with AI and blockchain, and to a degree, data has also undergone a slower version of this cycle. The success of US technology giants in using purchasing data to determine the behaviour and desires of a customer, or locational data to provide time-sensitive data for mobile advertising, and the revenue it has generated, has mostly obscured the facts that data needs context. You often need large amounts of it, and other information, to create a valid supposition about something. The value of data is often immediate and then of little use. In this day and age, a lot of the data we have is in a legacy language and in disparate silos, so the ‘data sherpa’ is a job title nowadays, revolving around finding, getting, transporting and translating data so it’s useful. More often than not, data-led business cases are failures as, aside from aggregating the data, the people who create the business case often vastly overestimate the importance and relevance of the data – the business case often fails the ‘so what’ test. Since not all data is equal in value to a business, you have to think carefully about the provenance and validity of the data that you are using and what you want to achieve with the data.”
Hemant Harie, MD, Gabsten Technologies, says data management is mostly understood to be the backup of the IT environment. “However, it’s important to understand the evolution of data management from a traditional environment to the modern IT setting. In the traditional setting, there were specific working hours and systems backup was usually conducted in the evening, at a specific time, and locations of files for backup were static. In the modern IT environment, data is generated at any time and accessed from anywhere and is sprawled across multiple devices and locations. In addition, modern IT environments include advanced infrastructure that scales dynamically and applications and new systems that are deployed quickly, all of which require backup. Once you understand this evolution and what to look out for, you need to understand your organisation’s requirements and backup what you need to. This will allow the data management and protection strategy to take form for implementation.
Since not all data is equal in value to a business, you have to think carefully about the provenance and validity of the data that you are using and what you want to achieve with the data.
Andrew Jackson, Performanta
“There are many options available, however, not all options will suit every organisation. It’s important to have a solution that can grow and evolve with the company, without the need to replace the entire data management solution each time there’s a new requirement. Companies should take advantage of a comprehensive data management strategy that extends outside of the traditional backup component. A comprehensive data management strategy includes storage management, replication, disaster recovery, indexing and making the data searchable.”
Start with the business
Any data management and protection journey should begin with the business, says Tony Nkuna, senior consultant and integration specialist at TechSoft International. “A company must understand the data lifecycle in its organisation and identify which data needs to be better managed and where pockets of data reside. It’s easy to bolt on a technology solution after the fact, but data is liquid and spills into every aspect of a business. Know the purpose of your data and create appropriate and defined data policies that align with governance and compliance requirements. The fact that legislation requires businesses to have data policies should not be viewed as a hindrance to your business. It should be put front and centre of any data management policy. Have a view of all disparate systems within your organisation, and a centralised layer to manage all the data in these systems. Whether reference data, metadata, transaction data and master data, the adoption of a multi-domain, multi-vector master data management that offers a way to model, manage, and govern all your data domains across the enterprise is vital. We often see a need from customers to manage data domains such as products, customers, employees, suppliers, financial hierarchies, reference data, and more.
“Data management allows you to take ownership of the management of all your common artefacts and processes; this paves the way to collaborate with your data and helps create a foundation to streamline compliance efforts. This lets you govern and protect your data with confidence as you can establish collaborative governance processes that integrate workflows, stewardship, version control, and audit trails. Remember, governance is a moving target, so your data needs to be in a state where you can manage and change it quickly. When these parameters are in place, and you know where your data is and its purpose, you can then better protect it, secure it, and even replicate it for backup purposes.”
On the front foot
For Angelique Uys, Altaro channel manager at Networks Unlimited, when it comes to implementing a data management and protection strategy, it’s critical to be proactive instead of reactive. “Identify business objectives and determine which data is important for business continuity. Next, determine how to secure this data and where it will be stored and replicated, whether onsite, offsite, in the cloud, or all three. Finally, find the right technology and establish data governance. Software that provides a backup strategy for added security is recommended as it allows businesses to manage and monitor all backups from a single online console. Backup software should be user-friendly and easy to use, so as not to add to the existing stress related to an emergency recovery operation.”
It is always better to have something and not need it, than it is to need it and not have it.
Angelique Uys, Networks Unlimited
There are also several points of failure to avoid. Harie says companies should have some sort of data recovery solution in place – anything is better than nothing. “If you don’t have anything in place, data recovery isn’t possible. Having a solution in place means there’s a recovery point objective, instead of having to start from nothing again, which could be catastrophic for a business. Understanding what the risks of failure are can help companies prepare for and mitigate these risks. The implementation of a data management and protection strategy must follow some form of project methodology, whether it’s an inhouse guideline or a globally-followed principle.”
According to an article from Gazette.com, 75% of small businesses have no backup plan, a shocking statistic, in that, should disaster strike these businesses many won’t return from it, says Uys. “A common mistake made by many businesses is believing that if they have a cybersecurity solution in place, their data is untouchable. This, however, is not the case. It’s always better to have something and not need it, than it is to need it and not have it. As US statesman Benjamin Franklin once said: ‘By failing to prepare, you’re preparing to fail’. The biggest point of failure to avoid is believing that your company is too small to have a backup solution in place, or that your most valuable data is safe on a memory stick.”
Privacy by design
No conversation about data can be had without mentioning privacy. According to Nkuna, by its nature, ‘privacy by design’ implies that a business needs to create a framework that ensures that privacy is baked into all data points of a business.
Ultimately, privacy by design is based on better design of the technology supporting the data. Many vendors are already doing this with master data management, metadata management, and data virtualisation tools where data management and data security are proactive and not reactive, and privacy is preventative, not remedial. The bottom line is people and external threats are the biggest challenges facing data privacy, so when building or baking privacy into every aspect of the data lifecycle, no action should be required from individuals and privacy isn’t clumsily bolted on after data is created. It’s a mix of a culture and technology change a business needs to practice.
Understanding what the risks of failure are can help companies prepare for and mitigate these risks.
Hemant Harie, Gabsten Technologies
A data management solution must be able to integrate into the authentication and security policies of the system in place, adds Harie. “Something that’s not often considered is that as the data management solution hosts a copy of an organisation’s production environment or a business’ critical systems, it is crucial for the data management solution to integrate with the company’s overarching security policies. This is due to the owners and administrators of the solution essentially having access to this critical data. Hence, reporting and restricting what data is restored and moved via data management is key to the privacy by design feature in backup solutions.”
Jackson adds that in this background of an unholy rush to get data, especially personally identifiable information (PII), the relevance of data is lost. “GDPR and PoPI are attempts to move data from a mass market consumable to what it actually is – data owned by individuals, which can, if abused, be used to the individuals’ detriment, such as identity fraud, profiling, autonomous decision-making based upon flawed algorithms. Changing large business models, predicated upon the use and or abuse of individual’s PII will take time. Successful businesses using PII will delay, prevaricate and occasionally fib, to get as much revenue in for as long as possible.”
Uys adds that PoPI has made people more aware of how sensitive data actually is, and how well businesses need to protect the personal information that resides on their systems.“So much limitation is placed on the processing of personal data, and once you have consent, you need to ensure that it’s stored and kept safely. Businesses must ensure that they’re compliant, and for many, this means they’ve had to employ a compliance officer and restructure their entire data management strategy.”
Zero trust
Starting with a zero-trust methodology would make this journey a lot easier for most organisations, adds Harie. If a company is already established in terms of using a more traditional data management system, then its journey to implement a data management strategy must include compliance with PoPI. Traditionally, the backup plan would be to protect everything that falls under IT. However, this now poses a new challenge with PoPI, as PII is hosted in new locations. A data management solution is now required to identify the sensitive data within the business and report on it. Yet, this is only one portion of the regulations. “Another portion talks to the destruction of sensitive data. This means that a data management solution now has to identify and destroy sensitive data. There are also other elements of compliance and security that would need to be adhered to, which means your data management solution needs to be compliant with the regulations and also enable compliance.”
Speaking of how SA businesses can measure and demonstrate compliance with global data privacy regulations, Nkuna says in many cases and many globally affiliated or multinational organisations, we already are. “Data privacy rules may differ in countries, but the principles they apply to are the same. PoPI goes a long way to getting us on the same footing as the rest of the world as the premise of why data needs to be safeguarded is based on global best practices.Where we’re dragging our heels, though, is in understanding that while data may be amorphous, it needs to be centralised, and technology can help do this. Data living in spreadsheets all over a business will make a global compliance office cringe. Building a complete compliance data foundation then opens the power of data. The real power of data does not lie in your ability to send out marketing emails. It lies with the extension of applying smart technologies into the mix, embedding artificial intelligence and machine learning, discovering connections, and defining your data assets. When applied, these technologies will also assist data management principles to include multiple algorithms that learn how to tag data assets with the appropriate business definitions and classifications. When you have this deep understanding and central view of your data and its behaviour, you can also ensure its compliance, not just use it as a marketing resource.”
* This feature was first published in the October edition of ITWeb's Brainstorm magazine.
Share
* Article first published on brainstorm.itweb.co.za