A new commodity is spawning a fast growing industry, prompting regulators to step in to restrain those who control its flow. A century ago, the commodity in question was oil. Today, similar concerns are being raised about organisations that deal in data—the oil of the digital era. Popularly called ‘new oil’, data powers the engines of analytics in a digital economy. According to Department of Economic Affairs, India could become a $1 trillion digital economy by 2022. This is evidenced by the rapid pace of digital adoption. This data, when analysed correctly, can provide powerful opportunities for organisations to gain a competitive advantage.
Basis the KPMG in India CEO Outlook 2018 study, CEOs in India are increasingly embracing technology disruption and digital transformation. This can result in radical business-wide changes in organisational structures, and data will be crucial as it will be the key to measuring and bringing in efficiency and performance. A majority of CEOs are seeing digital disruption as a pathway to business success and 66% believe they will reap the returns of digital transformation within three years. And much like oil, India Inc will have to protect and take care of data zealously.
This is, in no way, a comment on the lack of data consciousness. The study reveals that CEOs have taken note of cybersecurity being an important risk across organisational value chain. They are able to relate the implications of cyber risk leading to operational risk, supply chain risk, brand risk and emerging technology risk. A majority of CEOs (71%) consider it’s imperative to have a strong cybersecurity strategy for building trust across key stakeholders. A third of Indian CEOs believe a cyberattack is imminent, and only 40% have faith in their organisation’s ability to contain the impact of a cyberattack on their strategic operations.
Enhanced global regulations on data protection are leading to heightened focus on this domain. There is a realisation this needs to be addressed as a business risk rather than looked as only a technology solution. There are certain things all businesses need to keep in mind to protect data:
Knowing about the data: Data proliferation has led to exponential growth of data across organisations (structured and unstructured), which is increasing with the ongoing digital transformation. Efficient data management and data protection involve being aware of the data and applying timely, well-developed data classification methods to ensure protection of an organisation’s most sensitive data assets—identify the ‘crown jewels’ across the organisation to ensure they are adequately protected. It is imperative we assign the responsibility of this data to dedicated individuals and implement tools to facilitate efficient data management.
Assess risk and impact: Data discovery provides a good view of the level of protection required. However, adequate measures can be taken after risk and impact assessment is performed. Given that this area is constantly evolving, it’s important to maintain a current view on the impact, which could have significant implications factoring in recent global regulations (such as EU’s General Data Protection Regulation). Organisations need to also ensure that the impact of international borders on data, vis-à-vis international vendors and cloud services, is managed carefully.
Establish a robust framework and policy: Having a robust framework for data management and data protection, and web-based data handling processes, is a must. The nature of risk demands adequate governance across the framework with identified people having clearly articulated accountability and responsibility for enforcing associated policies across the organisation.
Establish capabilities for monitoring: Organisations must ensure they have the capability to monitor the risk posed by data management on an ongoing basis, and learnings are thought through and implemented. Monitoring capabilities should be developed in a way they can assist in identifying incidents. Equipping the organisation with effective incident and response management capabilities is key to ensuring that, in event of data breach or similar contingencies, the incident can be effectively managed.
Data handling and management should involve a holistic and universal approach, complete with legal, corporate, technical and human aspects. Most stakeholders are sensitive to data protection measures, and it’s no longer a responsibility with no reward. It has become a top priority to operate in current environment, and a powerful differentiator.
The Author is Partner and Head, IT Advisory, Risk Consulting and Cyber Security Lead, KPMG in India