Category: Information Security

Chief Data Officer – the first 100 days

Guest blog by the co-authors of The Chief Data Officer’s Playbook, Caroline Carruthers (Group Director of Data Management, Lowell Group) and Peter Jackson (Head of Data, Southern Water).

Gartner predicted that by 2019, 90% of large organisations will have hired a CDO – but only 50% of these will be a success. Much of what determines your success or failure going forward will take place in the first 100 days. Essentially it is about getting the basics right now and building firm foundations for the future.

CDOhundred

What do you expect when you start?

The first hundred days are important to set the expectations for the CDO you are going to be going forward; now from one CDO to another, expect a real rollercoaster of a ride, there will be amazing highs followed by moments where you sit with your head in your hands wondering what on earth you have done. Basically a microcosm of the rest of your role as a CDO just crammed into a shorter time period.

Case for change

The very first thing you need to do is understand your organisation’s case for change; if it’s not there, create it; if it needs help, redefine it. But whatever you do make sure you have a clear easy-to-describe case for change. In order to be an effective CDO you will be changing the organisation, and no change starts without a burning platform or an absolutely massive benefit at the end. If you can’t find the case for change then you might as well go home at this point.

What you are aiming for

The case for change helps you set the vision for what benefits you are aiming for, whether they are saving the organisation from repeating mistakes or gaining insight to derive more value. It’s the compelling argument that makes people want to help create the future you are selling. It also helps to set your scope out and start to set expectations about what you will and won’t be doing. People often forget about the ‘not doing’ part of a scope but it’s equally important as what you are doing, if not more so, without it people can overlay their own expectations and just assume they are getting everything they’ve always wanted just because they misinterpreted what you meant. Whilst you need to create a compelling vision, it’s best to be realistic about where you can go, what it will feel like, and how long it is going to take to make a difference.

There is no point in starting a journey without having an idea of your destination. You don’t need a fixed point you are trying to drag the company to, rather an idea in mind of where you are leading them. A bit like giving them a treasure map where you might not have buried the treasure yet but you know what island you are burying it on, they will get more maps the closer to the goal they get.

Your team

We are going to assume you have a team in place, knowing how long this process can take, unless we assume you have a team in place the whole story of your first 100 days will be taken up by fighting to get people to come and help you against departments who practice the dark arts and refuse to let you see the play book. There is a need to have people around you to help as no one person will ever be able to change the company without a lot of support. Apart from the need for skills and experience that are varied and wide ranging, you also need the support when you have some of your rollercoaster lows to help you get back on the upward track.

Then you need to look at what basics you are trying to get right, what materials are going to make up your foundation?

To keep it simple we’ve broken these down into three main areas

Governance

Let’s face it, you will be making changes to the organisation and you might not always get it right first time – remember the old saying ‘if you never make a mistake you aren’t trying hard enough!’ so what must be in place is a way of letting people know what is expected of them, what are they really accountable for; be that policies, standards, procedures or whatever your company used to help everyone understand their responsibilities, as well as a control mechanism for managing those policies. How do you make decisions on how the organisation needs to treat its data and information? Who is involved in this process? If you are smart you get people involved who cover large parts of your company – the plot for ‘buy in’ starts here.

Information architecture

Next let’s look at your information architecture, not the vast swathes of detail that sit in your data dictionary (at least not at this point) but the big headings. What are the top 5 to 10 ish headings which describe all the information in your company and (most importantly) who is the one person who could make a decision on each one. This is not about playing the blame game, that just makes individuals hide from any kind of accountability and leads to a kind of company wide whack a mole game. Remember the quote from above ‘if you aren’t making mistakes….’ Your information domain owners are accountable experts in their fields who understand specific areas of information within your business and can give firm direction and decisions in their area. Once you have the highest conceptual level agreed then it’s time to move onto the next level, adding richer detail as you go.

Engagement

Lastly and definitely not least, how are you going to engage with the company? Where is your network of evangelists coming from who will sell your message? It’s great that you know who can make decisions about the information and that you have clear instructions on how people should treat your company’s data but it really is pointless unless you tell them. Naturally we are talking about mass company wide emails that of course everyone reads every detail of, inwardly digests and miraculously and immediately changes their behaviour…….. in our dreams! This is hearts and minds time here, what is your compelling argument to change, how are you making their life better and what is in it for them that makes it worth changing their behaviour? At the very least tell them what you expect from them.9781783302574

Get all that right and at least you know you have covered off your basics while you start your journey.

The Chief Data Officer’s Playbook will be published in November by Facet Publishing.

Check out the book’s page on LinkedIn.

Sign up to our mailing list to hear more about new and forthcoming books. Plus, receive an introductory 30% off a book of your choice – just fill in your details below and we’ll be in touch to help you redeem this special discount:*

*Offer not available to customers from USA, Canada, Australia, New Zealand, Asia-Pacific

6 information security tips: Stop your data being held to ransom

This blogpost by Facet author Alan MacLennan was originally published on the CILIP website last year. We have re-published the post today as information security is back in the news following the cyber attack on TalkTalk last week.

There’s a lot of concern at the moment about the threat from GOZeus and Cryptolocker – the first of which is a piece of malware which steals banking details, whilst the second encrypts your data, after which you are held to ransom for its recovery.

The two threats appear to operate together, and have been scaring lots of people this month. They appear to be confined to Windows systems, which is no great consolation if that’s what you have, and there’s no guarantee that even paying the ransom will result in your data being recovered, so it’s a pretty bleak picture, if your system becomes infected.

Tips for individuals

  1. Backup your dataDATA
    Just as well you can restore from your backups, then. You do have recent backups, don’t you? Oh, dear. Pity. Better kiss your system goodbye, then, until someone works out the decryption, if it’s possible.

    It’s a good time to emphasise the importance of a good backup procedure for your data. Don’t worry about applications, you can re-install them from the installation media, but get a good backup procedure in place.

    You might have to wipe and re-build the whole system. There are several ways to go about it – full, incremental, differential, mirroring – and you need to find which suits you best, but a good first step is to copy all of your data to a removable medium that you can keep separated from your system. That gives you a bit of breathing space, and you can then just back up what changes day-to-day, until you get a proper system in place. But start it copying right now.

  2. Look at passwords
    It’s also a good time to look at passwords – the sort of target that GOZeus has in its sights. Do you let Windows, or your browser, remember passwords for you? That’s right – bad idea. Do you keep them, unencrypted, anywhere on your system? Another hostage to fortune.padlocks

    Consider using a service like LastPass, which gives you access from anywhere to your passwords, which are stored in encrypted form on their server and in a “vault” on your machine. It will also provide hard-to-crack passwords, and remember them for you. Other, similar services are available.

  3. Make sure your system is patched and updated
    Now, with some holes in the dam patched, temporarily, what can we do to avoid these nasties? If your system is connected to the network, you’re a target. Even if you’re not running Windows, there are other “exploits”, though not nearly as many in number, because Windows’ popularity makes it the most lucrative target.

    So, first make sure you have your system patched and updated – that can be done automatically by Windows Update, or there are system update tools for Linux. If you’re still running Windows XP, you’re a hopeless optimist.

    Keep the antis-virus and anti-malware programs updated. If you don’t have them, there are good free versions readily available, and Windows own Defender and Security Essentials come with the OS.

  4. Don’t open email attachments, unless you’re sure they’re safe
    Don’t open email attachments, unless you’re absolutely sure that you know the source, and you’re expecting the attachment, and you can confirm that the source sent it.

    That’s probably the main way these bad things get spread, but apply the same principles to hyperlinks in emails, even if it means you miss out on those millions of dollars waiting for you to look after them, or the promised revealing photos.

    And speaking of revealing photos, web sites with “flesh-coloured images” (thanks to Bruce Royan for that term) aren’t the sort of thing you should be consulting at work, but are a really good source of more nasties.

Excuse me – I think my backup’s finished <ahem!>

Tips for organisations

Now, I’m not concerned about the machine I use at work because Robert Gordon University is a fairly big university with a wonderful IT Services department and infrastructure in place.

Lots of organisations aren’t that fortunate, and if you’re in the information profession, you might well be the most knowledgeable person around.

Maybe there’s a technician for the hardware, maybe even an applications supervisor for looking after the software, but it could be that you’re the “go to” person for anything more “information-y”, which is flattering, but comes with a burden of responsibility. Might be that paragraph in the job description that you airily glossed over at the interview?

Ad hoc advice is great, and will raise your profile as an all-round helpful type, but if you really want to be effective, and not to have to repeat yourself endlessly, and to work in a better environment, where the network isn’t at the mercy of the next cyber-hooligan, it’s time to think about policies.

  1. Create a policy
    Policies are good, because they’re explicit, in the knowledge management sense – they’re the captured wisdom, the tablets of stone, the things you can point to and say, “That’s how it’s done” which is immediately more impressive than “Well, what I do is …” Policies can be encoded, made part of induction programs, produced as evidence of good practice – they tick another box, if you will, but you’ll rarely be criticised for having too many.

    So, what goes on the shopping list? A backup policy would be good – either take responsibility for your data, or save it to as shared drive, which can be backed up centrally. Patches and updates, antivirus – it depends on your systems what will work best, but to write the policy, you have to think about that, which is what counts.

    How else can our systems get infected by malware? What about a BYOD (Bring Your Own Device) policy? If people can connect their phones, tablets and Google glasses to the network, or bring in USB sticks, that’s another vector of infection, to adopt the medical metaphor which viruses so neatly match.

    I’m not telling you what your policy should be, but those are at least some of the areas you should address.

  2. Educate people about email
    Email behaviour is more a matter for education: “did you hear what happened to so-and-so? Clicked on a link in an email and … I’d be so embarrassed if that happened to me.”

    And you may be dealing with customers, colleagues, your customers may be colleagues – there will be lots of possibilities to exercise your skills in user education. However, if you can be the unseen hero(ine) who saves the system from a fate worse than usual, well, it’s just another day as an information professional.

    So, think about what you know, and about how you can best apply it to your organisational context. Critically evaluate the situation regarding this aspect of information security in your organisation. Think about your role as an individual or a department, and how that can be influential in shaping policy.

It’s not unlike a scenario exercise from an Information course, but it’s real, and you don’t have a long time until the submission date. Good luck.

About the author

Alan MacLennan MA, MSc PhD has been a lecturer in Information Management at Robert Gordon University since 1993. His previous experience includes periods as an analyst/programmer and as an assistant librarian. In 2007, he was awarded a PhD for a piece of research into user preferences regarding virtual worlds for information retrieval. He is the author of Information Governance and Assurance.

Image credits

Image 1: “data.path Ryoji.Ikeda – 4” by PROr2hox, used under CC BY-SA 2.0
Image 2: “Padlocks” by Jessica Paterson, used under CC BY-SA 2.0