I ran into an interesting article in the Harvard Business Review this week that points to what may be a huge mistake management and IT are regularly making: Holding IT responsible for data quality. The author, Thomas C. Redman, wrote back in 2012 that you need to get responsibility for data the heck out of the IT department and put it someplace where the authority exists to assure the result. You see, line organizations collect and use the data, are far closer to the source, and have a far better understanding of what it means and how it is going to be used. This means that line organizations should own the responsibility for the data they use because they are generally closer to it, understand it more deeply, and will be the most impacted by the data quality.
Line also typically owns the budget to fund any data acquisition and analytics effort and thus is more likely to fund the effort fully. It appears that large companies and IT organizations often make the most foolish of management decisions, having the people that are responsible for something not have any real authority over it.
Responsibility and Authority
The reason business schools and internal auditors consistently recommend and require that responsibility and authority be matched is because disasters can occur if they aren’t. We saw this in spades back when the job of risk manager was created for financial organizations. Suddenly, someone was in charge of risk who could be blamed if things went bad, but who didn’t have any real authority to mitigate the risk they were supposedly responsible for. The executives making the decisions had no downside and suddenly there wasn’t a single class of risky lending they didn’t want to be part of, well, until it all came apart.
Having responsibility for something you don’t actually have authority over is on a very short list of assured career killers. Yet, with data, it is often the rule that the responsibility for it lies with IT but the authority over it lies with the line organization that funds and uses this data.
Data Ownership: At the Heart of the Problem
So why do I care? Well, we’ve been going on about two hot topics of late: security and analytics. On the security side, the breaches are largely the result of folks getting access to stuff they shouldn’t be able to access, and they do this by getting the authentication information on someone who often has more access than their job requires. The other topical area is analytics and the problem of firms not getting the value from their incredibly expensive analytics implementations, often because the data they are analyzing is corrupt.
The underlying implication of this is that much of our pain, from security to business intelligence, is because the wrong organization, IT, often owns the data. IT is an implementation entity providing a service and certainly can help assure the process, but the beneficiary of the service must own the data and the security around it.
Security and Accuracy
As noted above, two of the bigger problems we are facing have to do with data ownership. Much of the security problem results from people having access to data they are not authorized to use. I hooked up with Varonis after hearing terror stores of financial institutions and later casinos where customer financial information was pretty much available to every employee, potentially including temp workers, creating a massive audit, brand and financial risk. Once ownership is established at a granular level, IT only needs to make sure the system is working; the data owners have responsibility, authority and capability to minimize risk; and IT can still flag if suddenly someone with authority starts pulling lots of data (like a Snowden).
With data acquisition, the path is a bit more difficult and requires a close connection between the data scientist who understands the technology and the customer throughout the project. Here is where technologies like Beyondcore and IBM’s Watson come into play because they help make the query process intuitive and fully understand the need for accuracy at the front end to assure accuracy at the backend. But line, not IT, owns this; IT should only step in as facilitator.
Wrapping Up: Minimizing Security and Accuracy Risks
Protecting and assuring today’s enterprise has never been more difficult. Central to this effort is data ownership and assuring that those who use the data have both responsibility and authority to assure its accuracy and safety. When that doesn’t happen, the firm is exposed, not only to outside intruders who might get access to and misuse it, but to bad analytics results, which will lead to really bad decisions. In the end, the future success of your firm may depend on IT refusing to take ownership of the data and instead working to make sure that the line organizations have the right tools to secure and assure it.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+