At the Center for Digital Transformation (CDT) summit, “Road to Reinvention (R2R): Leadership in the Digital Age 2017” last month, two speakers especially captured my attention. Mike McNamara, Executive Vice President, Chief Information and Digital Officer for Target said something that I didn’t expect: “We have to prove to our customers every day that their data is secure, it can never leave us again.” Craig Boundy, CEO Experian North America followed McNamara saying that protecting data is everyone’s job, not just that of governance, compliance, or risk. For this reason, Boundy said that data security has moved to the business because in business, finance and security goals are non-negotiable.
I asked members of the #CIOchat about these business leaders’ comments. Mark Thiele, Chief Strategy Officer at Apcera responded “It’s about time.” Tim Crawford, CIO Strategic Advisor and former CIO said “With respect to Experian, a failure to secure data would kill them as a company.”
There was some discussion about whether data security is a fundamental business requirement or a business goal. Sharon Pitt, CIO at Binghamton University said that her strategic technology plan has a security goal, but Jay Ferro, EVP and Chief Information and Technology Officer for ExamWorks said if security is not fundamental then other business goals will suffer. David Chou, CIO and CDO of Children’s Mercy Hospital added that everything that we do needs to have security as a fundamental approach–it is now the top area that CIOs can get fired. Pascal Viginier, CIO of Orange agreed, saying that data security is now basic for any business.
Stephen Landry, CIO of Seton Hall University argued that information security is an essential part of customer experience, as Target now knows. Ragu Kantamaneni, Chief Evangelist for Damaka claimed that data security should be a requirement and prerequisite for all businesses dealing with consumer data but wondered how many marketing folks think this way? Chou said, “Once the trust is gone, forget about all of the digital and innovative experience you have put forth.” Isaac Sacolick, former CIO of Greenwich Associates added, “you can compete on overall customer experience, innovation, performance, service, design and a big yes for security and trust.” Viginier and Cynthia Stoddard, CIO of Adobe, each agreed with Sacolick with Stoddard saying, “Data is the new currency for organizations driving insights, customer engagement, and ultimately financials.” Ann Cavoukian, Executive Director of the Privacy and Big Data Institute, agreed with Sacolick as well: “You can’t afford to leave security out of the equation. You must have both privacy and security, ideally by design!”
IT consultant Chris Petersen, said data security and the processes that underpin it, are fundamental to achieving organizational goals – customer experience, IP protection and so on, all need it.
Overall there was a sense that it is important for organizations to know that they are never done with security, that it is an ever-evolving process. Ed Featherston, VP Principal Architect, Cloud Technology Partners said here that from day zero, IT should determine what level things depend upon data because not all data is created equal. Tim Crawford further claimed that, akin to Cavoukian’s Privacy by Design thinking, data security needs to be part of a company’s DNA, not an afterthought or discrete project. Pitt said that security objectives include extended investment in tactical and operational practices, data governance, and data loss protection.
So the question is, why aren’t there more CEOs like Craig Boundy? CEOs today should get the importance of protecting data as a core business capability. Experts at my company say CIOs need more cover; even where there are legal or regulatory issues, data protection needs to be mandated by the CEO and board. Given this, more data attuned CEOs need to say they are measuring performance and protecting data. When customers demand data protection, the business needs to pay attention.