As CISO and Head of Data Governance for insurance company esure, Stephen Owen had a golden opportunity to empower his business by creating a transformational data access platform with privacy and security at its core
As group CISO and Head of Data Governance for insurance company esure, Stephen Owen has a unique perspective on how to empower businesses with data.
His insight on this subject is timely – many enterprise businesses are implementing digital transformation programs designed to get more value from their data. Programs that have only been accelerated by the pandemic.
For CISOs this offers a tantalizing opportunity, to enable nimble business decision-making in a secure manner and to help their businesses reap the many rewards of digital transformation.
In the opening keynote of last week’s inaugural CISO London conference, Owen argued that putting security and privacy principles at the core of a data democratization platform while maintaining the speed of delivery is key to enabling business success.
“Historically, I’ve seen several organizations where governance, security, and privacy can slow down the business in a tremendous way. And, often, it gets security, privacy, and governance teams a bad name,” Owen says. “But businesses are starting to realize that one of the key aspects to unlock the business, underpinned by security, is data democratization.”
Enhancing Data Discovery in a Secure Way
For those unfamiliar with the term, data democratization is all about making data available in a secure manner to the people who need it – even if they are in a non-technical role.
At esure, this meant creating a data platform that operates as an internal search engine. This makes accessing formerly disparate datasets simple and fast – at least, from a user perspective.
“People can discover what data they have. You may have pockets of data all-around a business – certainly on legacy systems and even on new systems,” Owen observes. “But we want to be able to share data faster. And instead of governance and security taking days and weeks – we’re talking minutes in this new language. We’re challenging the norm.”
However, from a security and privacy perspective, there is a certain contradiction to democratizing data access. The first instinct of a security person is often to lock the data down and put tight controls in place.
“From a privacy perspective, it’s important to understand what we call the ‘purpose of use’. There are lots of contradictions in this, but you can find the balance,” Owen says.
Building Security into Your Data Platform at the Foundation
Owen’s objective was to allow staff across the business to self-serve data. Doing so meant building strong privacy and security principles at the foundation of his new platform.
Of course, any IT-related transformation project is a challenge to implement successfully. In previous positions, both Owen and his colleagues have seen many instances of security and privacy issues arising from the poor adoption of core policies.
“Whether it’s people with long-standing access to data, the wrong rights, data going to third parties, the privacy principles not being adopted, the underlying platform, there are lots and lots of [possible] issues,” Owen recalls. “And instead of retroactively applying security [we were] building it in from the ground up. So, I was really up for this.”
Owen attributes much of the project’s success to not only a focus on technical excellence but also driving home the core principles to stakeholders across the business as well as defining their strategic ‘north star’.
“We started to work with a set of principles. It was about team identity, cross-team fertilization and we had our ‘north star’,” Owen says. “This really helped us when it came to implementing our platform. That’s the first takeaway – have your ‘north star’ and a strong set of principles.”
He concludes: “People start to understand that as you are talking about working across compliance, privacy teams, security teams – having that common purpose, that common goal, and an unbeatable platform, they know that data as a service is key to what it means to that business.”