It seems to be popular these days amongst industry pundits to recommend that organizations add a new Cxx role: the Chief Data Officer (CDO). The arguments in favor of this move are exactly what you'd think: the rapidly accelerating importance of information in the enterprise, and, as important, the heightened perception of the importance of information by business executives. The attention on information comes from all the rich new data that simply didn't exist before: sensor data from the Internet Of Things, social media, process data -- really just the enormous volume of data resulting from the digitization of everything. Add to all that: new technology to handle big data in a reasonable time frame, user-friendly mobile computing in the form of tablets, data virtualization software and data warehouse appliances that significantly accelerate the process of getting at the information for analysis, and the promise of predictive analytics, and there's plenty of cause for an information management rennaisance out there. With a little luck, the activity it catalyzes will also improve enterprises' ability to manage the data and content that's not so new but also very important that we've been struggling with for the last decade or so.
The only argument against creating this role that I've run across is that if CIOs and CTOs did their jobs right, we wouldn't need this new role. That's pretty feeble since we're not just talking about IT's history of relative ineffectiveness in managing information outside of application silos (and don't get me started about content management) -- we're adding to that a significant increase in the value of information and a significant increase in the amount of available information. And then there's the fact that the data could be in the cloud and not managed by IT, and there's also a changing picture regarding risk that suggests a new approach.
I was talking with a client the other day about the reporting structure of her applications organization. The group had a single leader, but underneath, it was subdivided into groups that were a combination of technology (website, data analytics, intranet), business unit (four major ones), and IT processes (QA). The leader of this group knew that every organization is different based on the culture, size, maturity of managers and a dozen other factors. However, she was seeing a lot of friction between groups and wanted to know what structural changes other organizations had made and what the tradeoffs were.
We started by talking about the direction of the organization. In particular, she needed to determine if the business units were moving to greater integration of their data and processes or whether the business silos formed were just fine. Though most organizations are moving to greater integration, this is not an obvious answer, as some companies have run-off business areas that are in maintenance mode and may be kept separate. For this call, she asked that we assume the company needed greater integration. There were other drivers around growth and cost containment that we discussed as well.
I was reading an article recently which outlined the different agencies employed within the United Kingdom to protect against cyber-threats. Not including the armed forces, who would have specialist roles to play in any particular cyber-threat scenario, it transpires that there are 18(!) different players covering this space, each with overlapping strategies, policies and expenditure. The formal report, from the UK Government’s Intelligence & Security Committee, was wonderfully understated, speaking of "confusion and duplication of effort".
Such difficulties bring to mind the challenges we face in our global organizations, which are often made up from different corporate entities. Similar issues can happen to our security management functions - we overlap, overspend and contradict – all to the detriment of the enterprise as a whole. Managing a global information security function in an optimal manner is no easy task; it takes careful planning, an understanding of essential roles & responsibilities and the ability to manage some elements remotely.
I’ve recently published two papers relating to these very topics. If you are considering a reorganization, or just interested in what top performing security organizations look like right now, check out these links: