Data and data analytics are changing business models and competitive positions of companies. At the same time, they can improve decision-making in businesses and streamline operational processes.
These changes do not arise in a vacuum, let alone by themselves, but require strategy. Therefore, it is surprising that a McKinsey survey shows that a large proportion of companies respond to the change in the operating environment of data and data analytics on an ad hoc basis or through one-off projects.
A data strategy describes what a company wants to achieve with data and data analytics - how the company wins with data and how it achieves its goals. In addition to the objectives, the data strategy or its implementation plans describe the key principles related to the data, including:
- Where is data obtained or collected (e.g., from customers, customer behavior, partners)?
- How is the added value from the gathered data generated?
- How can the data be re-used, and how can it be shared inside and outside the company?
- How is the data stored so that it can be utilized, shared, and transferred as easily as possible (e.g., to cloud services, centrally)?
- How is the data managed, enabling the appropriate and efficient use of the data (e.g., data is available for all projects, and no silos are created between parts of the organization)?
- How is all the above implemented in compliance with data protection legislation and respecting the customer's privacy?
Each of these key principles is strongly linked to information security.
Data strategy and information security
Ideally, information security is an enabler of the appropriate use of data. When creating a data strategy, it is advisable to consult information security professionals so that the data can be used as widely as possible securely and with data protection in mind. The following three examples illustrate the relationship between data strategy and information security:
- Gathering data on customer behavior or obtaining it from partners can raise customers' suspicion about the company's operations. Clear communication about the company's good information security will dispel these fears and build trust in the company.
- At worst, utilizing data about people's behavior hurts people's privacy, but at its best, data can provide better services to customers. Data Protection Impact Assessment, DPIA, is a way to take into account people's privacy when using data. DPIA's results are strongly linked to information security, as people's privacy is largely protected by information security measures.
- From a business perspective, a data strategy often answers the question: can our data be utilized in other companies in a way that does not harm our company's competitive advantage but also benefits us? Indeed, sharing data outside the company is often useful, for example, to strengthen partnerships. However, this must then be done so that sharing does not destroy the competitive advantage that the company derives from the data. Information security plays a central role in achieving this.
Traditional information security can be a barrier to the utilization of data within a company. Therefore, the data strategy must be created so that it breaks down the artificial silos inside the company built by traditional information security and makes the data available to those who have a justified need to utilize the data.