Data Security & Compliance Tug of War, CIO vs. CMO
Project and Program:
Enterprise Data Center
Tags:
Proceedings ,
SHARE Columbus 2022
The consumerization of IT means that the business side of large organizations is
taking control over more and more things IT. Gartner's definition of
Consumerization: "Consumerization is the specific impact that
consumer-originated technologies can have on enterprises. It reflects how
enterprises will be affected by, and can take advantage of, new technologies and
models that originate and develop in the consumer space, rather than in the
enterprise IT sector. Consumerization is not a strategy or something to be
'€œadopted.'€ Consumerization can be embraced and it must be dealt with, but it
cannot be stopped." There are the good and bad of Consumerization and what
business leaders don't understand so well is that just because something works
in consumer spaces, doesn't necessarily translate to large enterprises with
mainframes. The way the business sees things is, "it's making money in consumer
space, must be good, let's deploy it in our enterprise." What this has led to is
CxOs on the business side looking at IT as an investment for future business
return. DevOps and the term '€œvalue chain'€ are both a part of this. In
conjunction with this approach is the move of data control from CIOs over to
CMOs (chief marketing officers). Business leaders see CMOs as revenue generators
and consequently see IT as an expense department. Business leaders believe that
giving data (CRM, marketing automation, buying signal solutions, etc., social
media data) over to CMOs can be a way to generate revenue for the business. It
wasn''t very long ago (2006) when British Mathematician Clive Humby stated, '€œdata
is the new oil.'€ Business leaders want CMOs to mine this '€œnew oil'€ and generate
revenue from it. CMOs are using this data 24/7 to generate sales pipelines and
this is a risk to data security and compliance. Why? '€¢ Large organizations are
very siloed. It is likely that CMOs and CIOs rarely communicate and they are
undoubtedly in different locations in the organization '€¢ Marketing staff aren''t
data savvy in terms of compliance and security policy. Other than the general
onboarding safety and security overview that is given when they are hired,
marketing teams are unaware of a majority of threat vectors in a large
enterprise. '€¢ The number one cause of data breach is employee or contractor
negligence; someone clicks on a link they shouldn''t. Marketing staff, like IT
staff, are very overworked and understaffed. They are generally rushed to get
campaigns out and leads coming in so they don''t pay attention to the details of
data security and compliance. '€¢ Marketing staff, management in particular, have
higher permissions for data and systems in a large organization. As VP global
marketing at Allen Systems Group in 2009 I recall an occurrence I had with data
access: - I had to ask for access to 2 systems and needed access to a third. The
IT person I was requesting the access from was very busy. He knew I was IT savvy
and just gave me universal access to all systems so I would quit asking him for
access to more and more systems. I could now get to anything in the organization
without restriction. '€¢ CIOs don''t like that marketing is taking more control
over data and systems but there doesn''t have to be a tug of war. They need to
work together and understand compliance and policy standards that best protect
data for them and for the people who report to them. This presentation will go
into more detail the bullets above and we''ll discuss how IT and business leaders
can work together to ensure highest data security standards. We''ll review
examples of breaches and what we''ve learned over the past few years as data has
been wrestled from IT and moved over to the business for revenue generation.
Back to Proceedings File Library