Looking beyond traditional IT network security, a new Data Governance Council has been created by IBM and several dozen companies and IT organizations to help corporate technology users look into better protecting their data against hacker attacks and other breaches.
In an announcement Thursday, IBM said the council will work to create a blueprint for the governance and protection of personal and organizational data within companies.
"When they look at security or the governance around their businesses, [most companies] haven't taken a data-centric approach to it," said Stuart McIrvin, director of corporate client security strategy for IBM. Instead, they usually look at security and policy issues without keeping the importance of their data as a central theme, he said.
The idea of data governance looks at how companies permit and govern appropriate access to their critical data by measuring operational risk and mitigating security exposures associated with access to data, according to the council. The group will look to redefine the management of data governance policy, the impact of policy on business processes and practices, and the enforcement of policy in IT infrastructure, content and organizational behavior.
The idea for the council grew out of discussions and informal quarterly meetings IBM has had with customers and business technology partners for almost a year, McIrvin said. "We're talking with real customers who have these problems," he said. The group's mandate is to "dig deep into issues around companies managing their data," he said. Yesterday's announcement formalizes the creation of the group and its continuing operations.
For IBM and its business partners, the input from customers will help tailor new and existing security software features and products that can help customers respond to the problems, he said.
"We're starting to look at some of the tools IBM has and how we can modify them to meet customer needs," McIrvin said. Some customer members of the council have volunteered to run pilot projects to test new data governance and security technologies, he said. "That's the ideal environment," as opposed to testing in a software lab. "With a real customer using it, it makes seeing its operation easier."
Robert Garigue, chief information security officer of Bank of Montreal, a council member, said a new approach is needed to help companies oversee access to customer data.
"I think data governance information management is an idea whose time has come," Garigue said. Security issues in IT have long focused on defending corporate network perimeters, he said, but that is changing because the data itself has to be protected with access controls and management.
"Managing the content is difficult. It's not just incremental," Garigue said.
"We need to evolve frameworks to build the security around the content and not just around the pipes," he said. "Increasingly, companies are seeing alarming rates of data theft. The council's ultimate goal is to transform data governance and compliance from yearly audits to real-time, change-driven, on-demand business processes that continually assess risks, update policies and manage resources across the enterprise."
Among the top governance issues to be explored by the council are security, privacy, compliance and risk challenges that need common solutions and standards, as well as misunderstandings regarding organizational and IT roles and behavior, which can potentially cause data exposures. Other problems include corporate policies and rules that aren't linked to business processes or IT systems, and the lack of common methods for metadata classification and IT integration, according to the group.
Members of the council include ABN Amro Bank, American Express, Bank of Montreal, Bell Canada International, Corticon Technologies, Danske Bank, Deutsche Bank, Fidelis Security Systems, Great American Insurance, Huntington Bank, KeyBank, Merrill Lynch & Co., Novartis, the Nassau County, N.Y., government, North Carolina State University, Northwestern Mutual Life Insurance, Nova Southeastern University, the United Nations Development Program and the World Bank.