If data is the new oil, why are we just giving it away?

When it comes to clichés, it’s hard to bear ‘data is the new oil’. We’ve seen other variations such as ‘data is the new gold’ slide its way into the overused tech jargon category, but the fact remains that data is the key ingredient to virtually any organisation’s success. But if that’s the case, why are we so happy to give it away for free?

We see this at the consumer level all the time — people happily sign away their email addresses and personal information to sign up to new digital services, often unaware of how that data might be used or who will profit from it. We see the outrage once there’s a breach like that of Optus or Medibank last year, when our data moves to the cybercriminal underbelly, but very few people think about where their data is before it’s gone.

To use another cliché, by this point the horse has already bolted.

Something similar happens on a larger scale in enterprises and governments. Despite the proliferation of IT and data specialists working in these organisations, most don’t have any idea what data they hold and where that data is kept.

It used to simply be stored in the organisation’s ‘computer room’. Over time, as the level of applications and volume of data has exploded, there’s a mix of data stored on-premises, in external private data centres and in the public cloud, with backup systems in place between these environments. Data is created from myriad sources, duplicated, altered and shifted between different departments and up and down the organisation’s supply chain.

This has led to ‘hybrid cloud’ becoming the default mechanism for storing and managing data — one report indicated 70% of Australian infrastructure decision-makers are now using hybrid cloud. There are plenty of advantages to this, ranging from cost savings, to having ‘elasticity’ to quickly expand data capacity for new digital services.

Complexity and volume contributing to the problem

But this complexity and the massive volume of data have led to IT managers — the current data gatekeepers — not always knowing what they have, where it is or who has access.

This creates an obvious problem when it comes to data breaches. Imagine trying to make a police report or file an insurance claim without being able to identify what was stolen or where it was at the time of the break-in, but this is one of the major issues we see when victims conduct a breach post-mortem.

The risks also go beyond the acute danger of a cyber attack and the reputational and stakeholder relationship damage that comes with that. The Australian Government is striving to make the nation a digital leader and the most secure nation on the planet by 2030. With that will come a new Cyber Security Strategy, which includes rules of engagement for ransomware attacks, potentially a data localisation strategy (as indicated by Home Affairs Secretary Mike Pezzullo) and potentially updated ‘Essential 8’ cybersecurity essentials criteria.

All of this will encourage Australian enterprises and governments to uplift their cyber posture. You can bet that the phrase “I don’t know what’s gone or where my data was in the first place” won’t fly anymore.

Yes, there is much more data today. And tomorrow, there will be more. Yes, the storage isn’t as consolidated as it once was. But we need to deal with these realities and accept responsibility for knowing where our data is and how we’re protecting it.

In other words, we need better data accountability.

Cross-functional accountability

This goes well beyond the IT department. If data is as valuable as we all think it is — and it is — the responsibility of the IT group needs to expand beyond one department and up to the highest levels of leadership.

CEOs, CFOs, CIOs, CISOs and even boards need to understand what data they hold, where it’s held and who can access it. At the very least, senior leadership should take an interest in the security of the ‘crown jewel’ data, the stuff that the business cannot operate without. Once they know that, they can apply resources and funding to appropriate levels of security and support around it, for example, enhanced perimeter security as threats continue to evolve, and an immutable data backup copy which can’t be encrypted by hackers even in the event of a data breach.

Accountability and more considered thought over who we give access to, and where we put our most important asset, will help build a needed culture shift on data. Collectively we’ll keep it and Australia’s economy more protected as a result.

To use a final cliché, it’s better late than never.

Image credit: iStock.com/Dilok Klaisataporn