It’s no longer a question of if a security breach will occur but rather when. This is the reality of today’s technology climate. Given the constant threat of a security attack, companies must take a more holistic view of protecting their data. They can do this by making sure their efforts are not solely focused on third-party or customer data, but internal employee data as well. While the importance of protecting customer or other third-party data cannot be understated, employee data is equally important and should receive the time, attention, and care it deserves.
We sat down with Desiree Robinson, Governance, Risk, and Compliance Manager at SurveyGizmo, to discuss the importance of data governance, what organizations can do to ensure employee information is protected and how to motivate everyone to take an active role in data security.
Why is data governance so important?
Just like customers, employees need to know their personal information is protected and feel confident in their organization’s ability to protect data. Failure to do so may result in a tarnished reputation, financial consequences, and loss of trust. With the exponential increase in both external and internal data that companies now gather, the importance of data governance has never been greater.
What should companies be looking at in regards to the data they’re collecting?
In my experience, many companies are too narrow in their vision of data governance. In fact, internal data makes up the majority of overall data held by a company and includes some of the most sensitive information out there.
From the moment an employee begins the onboarding process, their personal information must be accounted for. Personal identifying information such as names, addresses, and social security numbers, as well as private financial information such as bank account numbers, should be treated with the company’s best IT security and data governance policies.
What are the steps to implementing a data governance framework?
For starters, organizations should take data security and governance as seriously as they take third-party data governance. With this in mind, three key factors are needed for internal data governance:
- A dedicated data governance, risk, and compliance function.
While this function will vary greatly depending on the size of an organization, it is essential the investment is made to build a dedicated resource or team of people to manage data governance within the organization. A key responsibility of this group is to work with the executive team to establish a data governance framework, together with a classification model that determines how different types of data are to be handled.
- Clearly assigned roles and responsibilities for who will manage data governance.
A central governance function is essential to break down silos and to create a central point with visibility across the organization. This allows for better sharing of best practices and the ability to perform the necessary monitoring to ensure adherence to the established framework and compliance with key policies.
3. Continuous monitoring of data governance practices.
The best data governance frameworks and properly structured organizations can quickly fall apart if there is not an element of continuous monitoring. Continuous monitoring coupled with periodic validations or audits is the perfect combination to ensure the monitoring function is adequate and will protect against the tendency to loosen standards over time.
You say security is everyone’s responsibility, what do you mean by that?
What this means is security no longer belongs to just the IT department and should involve everyone in the organization. However, in practice most employees don’t see it that way and organizations do little to educate employees and reinforce this important fact. Changing behavior and processes across several departments in the name of data governance is not an easy task. When it comes to making security and data governance a priority for all employees, education and training across the organization is key.
How do you motivate employees to care about data governance?
Helping employees change their behavior regarding data security usually depends on the organization’s ability to motivate employees to simply care about data security. While there may be a temptation to use “shaming” or “negative consequences” as a method for promoting correct data governance practices, employees typically respond better when they have incentive or motivation to adapt their behaviors. For example, organizations can offer incentives and rewards for employees that report suspicious behavior during a phishing test. Providing training in the moment when the employee has fallen victim is also very effective in phishing campaigns. SW
Jan2020, Software Magazine