"An extraordinary thinker and strategist" "Great knowledge and a wealth of experience" "Informative and entertaining as always" "Captivating!" "Very relevant information" "10 out of 7 actually!" "In my over 20 years in the Analytics and Information Management space I believe Alan is the best and most complete practitioner I have worked with" "Surprisingly entertaining..." "Extremely eloquent, knowledgeable and great at joining the topics and themes between presentations" "Informative, dynamic and engaging" "I'd work with Alan even if I didn't enjoy it so much." "The quintessential information and data management practitioner – passionate, evangelistic, experienced, intelligent, and knowledgeable" "The best knowledgeable, enthusiastic and committed problem solver I have ever worked with" "His passion and depth of knowledge in Information Management Strategy and Governance is infectious" "Feed him your most critical strategic challenges. They are his breakfast." "A rare gem - a pleasure to work with."

Tuesday, 24 September 2013

Next Generation Data Privacy & Security Forum: Top take-aways


I had the pleasure of attending Ark Group’s Next Generation Data Privacy and Security Forum on the 23 September. As with other Ark Group events, the event featured some excellent speakers offering thought-provoking points of view and stimulated much discussion and debate throughout the day.

Here are some of my own personal “top takeaways” from the forum.
  1. March 2014 is a key date. The amendments to federal privacy legislation enacted in 2012 come into full effect in March 2014, and extend the requirements for full privacy compliance to commercial as well as government entities. In addition, the Australian Privacy Principles (APPs) are updated to clarify and strengthen compliance expectations and penalties for breaches.
  2. Measuring the level of privacy compliance. The measure of privacy is a function of the number of attributes in the data, and the relative size of the data set. Techniques for assuring the integrity of an individual’s identity within a data set include adding noise, restricting the types and specificity of queries, and sampling. Monitoring and analysis are crucial. For statistical data sets to fully preserve non-disclosure expectations, data must be abstracted to a level where the individual cannot be identified.
  3.  “Secure the human” – Engage, Empower, Encourage. However good the security technologies and policies are, it’s people’s behaviour that creates the greatest risk exposure. Applying open-sourcing methods to establishing and sharing privacy requirements and security concepts. We improve the expectations and behaviours for security of data if we engage in a partnering model within our communities and with our vendors. A twin-track approach supported by both technology tools and behavioural education campaigns is required.
  4. The security paradox. We expect universal access to data with absolute confidentiality. The reality is that there has to be a trade-off, where we balance our appetite for risk against our tolerance for potential failure.
  5. ID Federation. We have a proliferation of accounts online and this is not going to get any better! Multiple unique passwords cannot be the answer and are already moving towards a federated approach to persisting our online identities (Facebook, Google+, Twitter as de facto identification methods), though none has become a universal standard “trusted broker” as yet. Tokens are likely to be a fact of life, at least for the medium term.
  6. Information Asset Register. The Information Asset Management process is an entry point for multiple conversation – information planning, information value, information ownership, information security, information privacy.
  7. There is more to NSA than PRISM. Under the auspices of the FISA Act, the NSA has procured what amounts to unfettered access to data services and telecommunications through systems such as MAINWAY (Telco CDRs), BULLRUN (VPN, email and encryption backdoors), UPSTREAM (data tapping of fibre-optics) and BOUNDLESS INFORMANT (visualisation and analytics) as well as PRISM (data services monitoring). The full impacts are unclear, but in addition to the stated counter-terrorism purposes, it is highly likely that these capabilities are also being used for foreign policy interventions and support for US commercial interests. If using cloud-based solution, sensitive or private data should not be stored with US based providers.
It was interesting to note that of the eight presentations offered during the day, not one addressed technology issues in any level of detail. The implementation of IT tools was pretty much taken as a “given” by the forum, which focussed primarily on the human aspects of security and privacy risks; cultural, behavioural, policy and process concerns were uppermost in everyone’s list of areas to address. I see this as a positive shift towards a more mature (and realistic) approach to dealing with the issues associated with protecting people’s personal data while also meeting the changing needs of developing businesses.

Of course, all this is predicated on the premise that we want to keep our personal information, well, personal. For an alternative perspective on to privacy management, check out Hasan Elahi’s TED Talk….

Tuesday, 10 September 2013

“I’m Spartacus!”


Who thinks they own the data?

In my last blog, I aimed to clarify the roles of “data owners” and “data stewards”. And on the face of it, establishing more explicit accountability for data seems like a good idea! What could possibly go wrong?

The reality may be somewhat different.

I was re-watching the classic Kirk Douglas film “Spartacus” the other week, and it put me in mind of the type of scenario that can occur in the Data Governance space. (If you’re not familiar with the story - which has also been the subject of a recent TV series - it tells of an ultimately unsuccessful slave uprising led by the Thracian gladiator Spartacus, which took place during the Roman Republic in the time of Crassus, Pompey and Julius Caesar.)

In the 1960 film version, at the end of a bloody pitched battle between the slaves and the Roman guard, the Romans are searching amongst the remaining survivors for our eponymous hero. All members of the revolt are offered clemency from crucifixion (the normal penalty for a rebellious slave), if only they give up their leader.

Roman Centurion: “…Identify the body or the living person of the slave called Spartacus.”

The first question in relation to data is “is there anyone who might claim to own the data?” Can someone be identified who is fits the mould of a “data owner”?

Slave #1: “I’m Spartacus!”
Slave #2: “I’m Spartacus!”
Slave #3: “I’m Spartacus!” etc.

Before the real Spartacus can make himself known, one by one each of the slaves stands and puts himself forward as being the leader of the uprising in show of defiance, and of solidarity with their leader (and effectively volunteering to be crucified). Brave? Courageous? Noble? Certainly. Effective? Clearly not.

In a Data Governance context, are there multiple owners of the data, or several candidates who would lay claim to being accountable? Which of these is most suitable, both in terms of organisational position and in terms of their ability to engage? Can you find ways of getting all of the protagonists to work together and operate in a collaborative manner, acting for the overall good of the organisation? Too many cooks spoil the broth, so the proverb goes. So too with too many Spartacuses (Spartaci?).

But what if the opposite were true? What if there’s no-one coming forward to take responsibility? Well, the Romans already had a robust plan in place to cater for such a scenario and an agonising death on the cross for all and sundry was the answer if Spartacus was not identified. But I’m not sure such drastic an approach would go down to well in these more liberal times (though you’d certainly get some attention!).

Clearly then, the “no Spartacus” solution isn’t workable.

Could we have a situation with a “conscripted Spartacus”? Someone who is pushed forward to make their sacrifice for the greater good of the group as a whole? Everyone else is saved in this scenario (at least in the short term), but I’m not sure that a co-opted approach where someone is unwillingly nominated can work very well either. The conscripted “volunteer” Spartacus gets crucified by the Romans, and the slaves are left with no leader, the rebellion I crushed, and everything goes back to the original status quo without any improvement in anyone’s lot. In our Data Governance context, a press-ganged Data Owner will usually mean no contribution, no commitment, and no success.

So, we’re left with trying to find the real Spartacus. Someone who will volunteer for the role of Data Owner, someone who is a willing and able leader who understands their responsibilities, someone who can execute against them, and someone who will be held to account for meeting their commitments. Even if we need to bide our time, we’ll have more success in the long run if that type of individual can eventually be found.

“Spartacus sum!”

Thursday, 5 September 2013

Ah! So that's what you want me to do...


Demystifying the roles of Data Owners and Data Stewards

Conversations about Data Governance inevitably turn to the question of responsibility and accountability. 

As a practitioner community, we seem to have settled on the terms “Owner” and “Steward” to represent two important roles within the Data Governance process. (Sometimes I still encounter the word “custodian” being used, though I’m always wary when anyone describes themself using the “C” word, as it usually indicated someone who is a withholder rather than a sharer…)

However, the specific expectations for such roles are not always fully articulated, can be defined in unclear terms, and may well vary from organisation to organisation.

I suggest that it’s important to encourage clarity of expectations, while also keeping things as simple to understand and practice. A rules-heavy, task-intensive and bureaucratic process is unlikely to gain much traction.

I therefore prefer to focus on behavioural and cultural aspects, with the aim of encouraging a general shift in approach. I offer the following summary key features and expectations of Data Owners and Data Stewards:

Data Owners are:
  • Accountable for  the  effective  management  of  Information  Assets
  • Must understand the business value of the asset and the way it creates or realises value within all business processes
  • Responsible for cross-organisational value of the asset
  • Responsible for implementing  and  maintaining  an Information  Asset  to  ensure  it  is  fit  for  the  operational  purpose(s)  for  which  it  is required
  • Responsible for ensuring that  an Information Asset has  proper  quality,  security,  integrity,  correctness,  consistency,  privacy,   confidentiality  and  accessibility
  • Owners should reside within the operational functions of the business.

Data Stewards:
  • Operation of the information asset is delegated from the Data Owner to one or more Data Stewards
  • Appointed in cases where Data Owner are not in a position to manage an Information Asset directly. (eg. due to workload or complexity of the Asset).
  • Assist the Data Owner in the day to day management of information asset
  • Ensure that relevant protocols, principles, methods, processes and standards are applied (In conjunction with the Data Owner and other Data Governance functions)
  • Extract maximum value from asset over full lifecycle
  • Maintain and enhance value of asset, where appropriate
  • Manage the asset within owners expectations and requirements
  • Acquisition, creation, maintenance, exploitation, enhancement and disposal (on behalf of the owner)

Note that these responsibilities are often implicit within people’s existing job functions.

By identifying the roles of Data Owner and Data Steward we are really just clarifying expectations and commitment to be mindful in our dealings with data.

What do you think? Have I accurately and fairly identified a salient set of expectation for these key Data Governance roles? Or do you disagree with these concepts? I’d love to hear your views.

Wednesday, 4 September 2013

Information Quality & Data Management Masterclass

I am looking forward with great anticipation to facilitating a two-day master class on Data Management and Information Management, to be held 16-17 September at the Grand Copthorne Waterfront Hotel in Singapore.

Hosted by Marcus Evans Conferences, this interactive workshop will cover a range of key Information Management and Data Governance issues, including:

  • Taking a more coordinated and integrated approach to the collection, collation and use of data and information
  • Strengthening information services and competencies required to manage data complexity and produce actionable insight
  • Focusing on information value through assigning formal accountability and decision rights
  • Updating with the current trends and tools in data management and governance to aid efficiency and effectiveness

The workshop includes a range of instructor-led sessions, participant exercises and industry case studies. Further details of the event syllabus and details on how to book can be found at the Marcus Evans website:
http://www.marcusevans-conferences-panasian.com/marcusevans-conferences-event-details.asp?EventID=20468&SectorID=17