August 13, 2021

Expert Panel: A Data Governance Policy That Pleases BI & SecOps

Written by

Business intelligence and security teams may feel like they are at opposing ends of the data pipeline. Security teams guard the data the company produces, and metes it out to the BI team as needed. BI will always want more data and context to give the business more complete recommendations. If either of these groups were to build a data compliance policy on their own, the result is likely to be weighted by the needs of the writers. But how do we get these teams to cooperate on a policy that will please everyone?

As Adam Nathan, Director of Solutions Engineering at CoEnterprise puts it, “The compliance officers would like users to have zero access, the data analysts 100% access. Data security engineers, data engineers and database administrators are in the accountable middle of all of this.”

The word “policy” often implies restrictions and consequences. But a data governance policy can actually make everyone happier, the data more secure, and business intelligence easier to come by. Understanding what everyone needs from the policy can ease the process of writing a policy that pleases everyone.

What do data security engineers want from a data governance policy?

Data security teams can be fairly single-minded in their goal to protect the company’s data from prying eyes and accidental leaks. Rich Hale, Chief Technology Officer of ActiveNav, says, “They want policies that empower them to act to protect the interests of the business by preventing data misuse and enforcing measures to control access to sensitive classes of data or, indeed, to constrain the inappropriate aggregation of such data.”

But when data security is implemented consistently with a data governance policy, security engineers are empowered to identify and stop data practices that put the company’s information security at risk. Hale goes on, “Smart security engineers recognize that they need to work with data owners and stewards to enable appropriately controlled data opportunities. Policies can enable this by defining how data ownership is determined and the responsibilities of data owners.”

In an ideal world, security teams would either securely store all data or destroy it completely as soon as possible. Barring those options, finding a data governance policy that allows for safe use of data by analysts and business users that protects both the company and its customers is vital.

What do data analysts and scientists want from a data governance policy?

On the other hand, data analysts want and need access to data from across the organization to get the best possible understanding of business needs. According to Hale, “Data engineers and analysts want their data governance policies to eliminate data silos and improve data quality. Data silos cause problems throughout an organization, no matter the size. Without centralized organization, multiple versions of information can be used, causing error and poor decision making and ultimately, lead to a loss of business value. Successful data governance equates to more accurate analytics, which ideally leads to positive business outcomes such as increased revenue.”

Breaking down these silos, or at least finding ways to transfer the data into a centralized location, is key to building a clear BI picture. Missing information from a single cloud software or standalone app can throw off key forecasts and impede decision-making.

What data governance policy will please both security and BI teams?

At their core, security and BI teams have similar goals for data governance: To centralize and control the business data for the good of the company. And building a policy that meets those needs may be easier than expected. According to these experts, a good data governance policy will provide transparency, speed, and consistency across the enterprise.

Transparency

Analysts and engineers need to know where the data comes from, what might be left out, and how the company can best use the information securely. Transparency requires understanding what kinds of data each department creates and which of those datasets it deems important.

Anthony Habayeb Co-founder and CEO of Monitaur says that a key way to increase transparency is through documentation. “Poor quality data can put the entire business at risk, so data governance policies should emphasize data quality, reliable service, and internal access controls that ensure consumer data privacy. To meet that bar, data engineers and analysts must maintain fully documented datasets with dictionaries and lineage so that they know what data they are looking at — and the quality of the data.” Building a living map of the company’s data that is routinely updated will then help the governance team better communicate their policies to the rest of the company.

Robin Bell, CIO of Egress Software says that data governance doesn’t stop at BI and security teams. “Data governance is an organization-wide policy that must be supported from the executive level, but also communicated well, so that all employees understand why it’s needed by all roles in an organization. Without buy-in at all levels, no policy will deliver on its stated purpose. At Egress, we engaged architecture, development, security, data engineering, legal and DPO teams to define our data governance policy – supported by the Chief Technology Officer and Chief Information Officer. This has resulted in a data platform that we are now increasingly democratizing access to across different business areas, reviewing and evaluating the policies as we go.”

The data governance policy should ensure transparency from both sides. Data and security teams need to understand the company’s data landscape to better secure and use the information on hand. And ideally, the business users should be able to understand their role in data security to ensure continued compliance.

Speed

The speed at which data is ingested, transformed, and stored is a delicate balance. BI teams want all the information right now, but security teams would rather no one have access to data ever. A governance policy can define how data is ingested into the system and how that data is translated and used. These policies reduce gray areas that would otherwise slow outputs for BI teams and their business clients.

Speed is always going to be a trade-off, however. Immediate access to data without oversight or cleansing may ultimately put business users behind schedule, says Cedric Dussud co-founder of Narrator. “When operational data changes, or new operational data becomes available, a good policy will ensure that it’s modeled and classified correctly for data security before allowing broad access. Though this can sometimes slow things down, the up-front investment in data quality pays off for all downstream use.”

Adam Nathan of CoEnterprise says that the policy should also increase the speed of requests across many teams. “When a compliance request is made to validate that the governance model has been implemented faithfully, a database administrator can quickly provide a structured demonstration of compliance. To not have a compliance request turn into weeks of auditing, a deeply connected approach to security and data will make this almost effortless.”

By standardizing practices and data ingestion, BI and security can increase the overall speed of business, reduce the amount of work they do twice, and ensure the consistency of data across teams.

Consistency

A good data policy will ensure that all usable metrics and data types are defined and those definitions are adhered to across data sources. This consistency makes sure that everyone is looking at the same metrics, everyone speaks the same data language, and outcomes are clearly defined.

David Mariani, founder and Chief Technology Officer of AtScale points out that “Raw data can be interpreted differently, which can lead to conflicting metrics and analysis that erodes trust in data. Data teams should collaborate with analysts to build a governed set of enterprise metrics (e.g. revenue, cost, quantities) and a governed set of analysis dimensions on which to categorize, sort, and group (e.g. time, geography, product). Implementing a semantic layer can eliminate analytics inconsistencies while providing a layer of security and governance across all forms of data consumption.” Adding a data management software is one way to govern data ingestions and dispersal, and can ensure consistency if implemented correctly.

Ravi Hulasi, Chief Cloud Evangelist at Tamr agrees that a policy that employs software for governance can provide the consistency a company needs. “Arriving at this 360-degree coverage requires companies to first understand where their data exists, usually by deploying a data catalog. The next step is to implement a mastering solution to cleanse and unify the data into a known state and central location; making it useable for both the security engineer and analyst, while maintaining the lineage back to the source for auditing purposes.”

Write a governance policy that stands the test of time

Understanding the shifting needs of the technical teams and the business users may actually be easier than you think, if you get everyone in the same (virtual) room. Define the goals and desired outcomes of your policy and work backwards.