Too much security can be worse than not enough security, argues Adam Redd, CTO of integration and migration software company
GT Software. In an interview with The Enterprisers Project, he explains why.
The Enterprisers Project (TEP): How do you balance the need for protection with employees' need to have access to data to do their jobs?
Redd: Balance is exactly the right word here because many CIOs instruct their teams to protect data at all costs. Frequently that can come at the expense of data being so extremely difficult to access that it hinders employees from seeing the critical information they need. Often, the controls can make accessing data so slow and cumbersome that employees either cannot be effective in their jobs, or worse, they attempt to create an ungoverned solution on their own.
TEP: What are the biggest mistakes CIOs and other tech leaders make around such data?
Redd: One challenge for CIOs and other tech leaders is implementing proper policies, standards, and procedures for adequate governance around mission-critical data. It should not be so restrictive that data users create workarounds to access and store data.
Just as there is great risk in letting sensitive data get into the wrong hands, there is also an indirect danger of making data so cumbersome to find or access that when employees who need it get it, they create their own private data silo that is more readily accessible. This creates a risk for decisions to be based on outdated information. What's more, data in these silos may not be shared with others for fear that if discovered, it will be "trapped" within the IT lockdown. By creating incredibly tight control, a CIO can inadvertently create an illusion of security while actually increasing the risk for data breaches due to unknown disparate data sources.
CIOs should treat data access as a service for the data users, making it easy to find, access, and use, quickly, from one single source. By providing a single source for data that is easy to find, simple, and fast, they are ultimately creating a single source for data to secure and govern.
TEP: What advice would you give CIOs for dealing with sensitive data that their organizations need to gather and store?
Redd: I would recommend implementing proper security and governance through a central virtual data services platform that gives data consumers, from business analysts to application developers, a simple and easily-accessible platform for all enterprise data, like a "Real-Time Data Supermart." This would provide a win/win for both governance and ease-of-use. The CIO would be able to maintain control over the format, structure, access and security of the data by granting permissions or preventing unauthorized access. The user can access all the data that spans the enterprise through this one self-service source. And, regardless of the original format, the user should be able to access and re-structure the data virtually so that it can be used how and where the user needs it.
