I think most folks understand that we have an explosion of data, both personally and professionally. I, for one, am a bit of a data hoarder… I have a Plex Media Server with many terabytes of movies and TV shows, not to mention Google Photos collecting every ridiculous photo (or screenshot) I take on my phone. Like many others, I also use other common SaaS platforms from Google and Microsoft, seeding my info to the tech giants in the name of convenience.
With all of this data comes risk… in the case of my Plex server, it could simply be the risk of losing it due to a hardware failure. But, while not being able to watch that Seinfeld episode (ya know… the fusilli episode) for the millionth time might be a personal emergency, it is not going to get me into too much trouble. On the other hand, sharing my photos, including those that may contain sensitive data (think a pic of my passport or driver’s license, or even a scan of my tax returns), could have more dire consequences.
Individuals make these sorts of trade-offs everyday, sending our virtual garages of stuff to the cloud storage facility because it’s cheap and easy, disregarding the dangers. But, it’s our prerogative. After all, it’s our data. The situation is different businesses. Like us, large companies are sending tons of data to the cloud. Like us, they may not even be aware what specific data is going out the door. Frankly, many businesses don’t really know what they keep on-premise to begin with. Whether it’s a custom developed app that collects another bit of client data or a new business process that has been rolled out to grab another account number, data sprawl is real.
I am no longer surprised by the number of companies I talk to that don’t have data classification policies, retention policies, or data inventories. These are doubtless critical things to have for any business handling our data. But, I was involved with privacy program development in the run up to GDPR and CCPA after that. I know how hard it can be, especially as many organizations are struggling just to keep the lights on. But, what surprised me was just how many companies reached out to me to talk about tackling this problem in 2022. It was staggering.
My team at Trace3 had countless conversations with CISOs and other execs who were finally ready to really sink their teeth into the data challenge. Interestingly enough, our preferred approach to starting down the path of cleaning out their data garage was something these leaders knew all too well: the business impact analysis, or BIA. When we pitched this work, we’d get some raised eye brows… until we explained the magic. At the end of the day, organizations collect data. But, they do it as part of a business process and for a business purpose. So, what better way than to start by interviewing the business folks about what they do, how they do it, and what data they collect as part of that process? From there, we also dig into what systems, whether on-premise or in the cloud, are used to support those processes (and therefore which systems house what data).
Once we explained our approach to the BIA and how it solved the data discovery challenges, our clients jumped at the chance. If you’re like most organizations and have a data sprawl problem, think about performing a BIA to start to discover the data. It won’t solve the classification, retention, and security challenges, but it will get you off on the right foot. If you aren’t sure how to get started, hit me up. Let’s make 2023 the year you solve that data problem.