Chief Information Officers.
Chief Information Security Officers.
You see those roles, and variants of them advertised all the time. And to be perfectly frank, I’m kind of tired of hearing that I need to talk to CISOs. Sure, CISOs fulfil a function, after almost 25 years of working in data protection, I want to start talking to CIPOs: Chief Information Protection Officers. (To be honest, I’m kicking myself I didn’t think to use this term in the second edition of Data Protection. In the past, I’ve focused on the notion of a data protection advocate, which evolved over time to be a data protection architect.)
It’s not just the case that I’d like to start talking to your CIPOs — I genuinely think you actually need CIPOs as well. Here are seven reasons why:
- Your data isn’t stored all in the same place. It used to be that your infrastructure storage leader would also be in charge of data protection. But it now only partly resides within your on-premises infrastructure. You’ve also got data sitting in a variety of public clouds, the edge, IoT, and mobile. Each of the leaders for those areas has their own focus – you need someone above them to be responsible for data protection.
- Data and business continuity have interdependencies. Following from the above, the interdependencies between different sets of data, and therefore business continuity, is real and potentially complex. Someone who is sitting at the management coal-face (e.g., a leader of the storage infrastructure) can’t “see the forest for the trees”, so to speak. You need someone above the different data leads who can provide oversight on protection policies.
- You have more protection data than you do regular data. Depending on what your long-term retention policies are, your protection data may represent up to 95% (or even more) of the data your business holds. Isn’t that in itself enough to warrant having a C-level IT executive managing it?
- Security officers can’t devote the time to be data storage protection experts. The CISO fulfils an important function, for sure – I’m not going to dispute that. But CISOs have their own area of expertise that they have to focus on in order to do their job. Asking them to also straddle the fields of data security protection and storage protection is too much.
- Risk officers can’t devote the time to be data storage protection experts. The other area you might turn instead of a CISO is a chief risk officer. Yet risk officers are (justifiably) more likely to come from a formal business background than an IT background since there’s a lot more involved in risk than just IT-related issues. For the same reason as (4), above, your risk officers can’t spend the time becoming data storage protection leads.
- Isn’t data the new oil? OK, it’s almost become a clichéd term. Still, data is the true wealth of many businesses, regardless of whether it’s customer account data, intellectual property/patents, patient records – whatever the stream of the business, it’s very likely that much of the worth of the business comes from the data it holds. Surely that in itself warrants having a CIPO?
- Your business has an accountability problem. If there is one constant I’ve experienced in all my years of data protection, it’s that no-one ever seems accountable for making a final decision on things like “what data do we keep?”, “how long do we keep compliance copies for?” and “when do we delete data?” (I can’t count the number of times when I’ve been in discussions where someone has argued “the manager responsible for that has left, and no-one wants to take ownership of it”, so a bucket of data just sits and eats away at primary and protection storage like cancer.) Theoretically, the buck should stop with the CIO, but in practice, the buck sort of fritters away and disappears a long time before it reaches the CIO’s desk.
If your business actually truly values data, its next executive hire should be a CIPO. And I’d like to speak to them.