• United States




Why data governance should be corporate policy

Apr 25, 20185 mins
Data ManagementIT GovernanceIT Leadership

Data is like water, and water is a fundamental resource for life, so data an essential resource for the business. Data governance ensures this resource is protected and managed correctly enabling us to meet our customer's expectations.

Over the last eighteen months, we have been inundated by reports of businesses who have suffered from devastating data breaches. A majority of these incidents involved customer data that was entrusted to them. These incidences impacted the affected organizations in many ways from executive leadership stepping down to impending class-action lawsuits, or decreased revenue from the loss of customer trust.

It’s this picture of dismal customer privacy and the business world’s lack of security controls for this data that leads me to recall a question I have heard many of my peers ask after hearing about the latest breach: Why didn’t they have a data governance program?

Data governance is a methodical process an organization implements to manage their data and ensure it meets specific standards and business rules before entering it into a data management system. Data governance encompasses people, processes, and technology; each connected together as an essential program for different types of industries, especially those that must meet regulatory compliance guidelines such as finance, healthcare, or insurance. For companies in these industries to achieve compliance, they must demonstrate that they have a formal data management processes in place (using the above components) to govern their data throughout its lifecycle.

Implementing data governance from a process perspective involves four steps: data stewardship, data classification, data quality, and data management. These steps include information on how a company defines what the data types it owns; what data is considered critical to operations; how this data should be audited; and if the data should be monitored, stored, moved, changed, accessed and secured. It’s important to recognize that data governance is an ongoing process that needs to be aligned with business operations and evolve with the organization as it matures.  

Here are the four main components of a successful data governance program:

1. Data stewardship

The process of identifying and assigning roles and responsibilities. This step is where the business needs to identify who is creating its data, who has overall responsibility for the data, who uses the data, who routes it, and who oversees its use. The titles you typically see assigned under this process are Data User, Data Owner, and Data Administrator.

2. Data classification

This step is one of the most important for the organization. During data classification, the business will look at all of the data types it has identified and categorize them into groups. These data groupings will have labels such as “Public,” “Restricted,” or “Confidential.” With each label, there should be a description of the types of data that fall into that category and the security processes that should be followed in order to manage and protect that specific data type. I have seen data matrixes used as an aid to train employees on how they should protect the company’s information. During this step, I recommend including stakeholders from the various business units of the company because their insight will be needed.

3. Data quality

The next process of an enterprise data governance program will involve employees who are using company data for specific operations. Data quality is the process of measuring the reliability of current datasets to provide information that can be used to make organizational decisions. If users input data into business intelligence software that is not accurate, then the resultant datasets used for strategic planning can be skewed. As you can imagine, not getting this process right can significantly impact an organization’s ability to conduct business. Data quality is the one component of the data governance program that must be fully mapped, managed, and audited to verify the resultant datasets are clean and accurate.

4. Data management

The final process where all the organization’s data governance efforts come together. Here is where the company actively manages its data governance efforts and involves the creation of the architectures and business processes required to properly maintain the organization’s data through its full lifecycle, from inception to retirement. During data management, organizations will have data owners as members of long-term projects for the implementation of data portals or cloud technologies. This process will make business data usable in multiple formats and available to teams no matter their location. It is in this process that workflows for how data access will be mapped, implemented and audited in order to verify data is protected with the right level of security.

In previous articles, I discussed how data privacy should be a strategic initiative for businesses. I stated that companies should train their employees and make sure they understand that data privacy is an “every employee” initiative. For firms to do this efficiently and continuously, they need to enforce data governance processes. Data is like water, and water is a fundamental resource for life, so data an essential resource for the business. Data governance ensures this resource is protected and managed correctly enabling us to meet our customer’s expectations.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author