With so many metrics focused on the “cost of a data breach” as well as how much money is spent on data security, is it crazy to think that boards of directors will begin asking for financial statements around data value in the next couple of years?
The concept of placing value on your data is not new – analysts have been talking about infonomics and information valuation for a while now. In fact, it just appeared on a recent Gartner hype cycle which suggested infonomics will take 5 to 10 years to plateau. However, with the pressure on organizations to build a strong culture around data security, I would argue we are going to see the need for data value statements within the next 2-3 years.
Today we are seeing a surge in organizations focusing resources on the identification of information assets. The natural extension of applying identity to something is to evaluate the value of the asset. A convergence between data security and business management is gaining momentum. There is no better example of this than a recent article on Techcrunch, which cites a large settlement that paid each of the 75,000 record breach victims $100 (or a $7.5 million loss). New data privacy laws coming in Europe may assign the value of PII to be equal to as much as 5% of your global gross sales.
With this kind of investment directly tied to the data, organizations are starting to see questions from the Board asking about the value of their sensitive information – not just in the form of structured data like credit numbers or other personal information stored in a database, but in unstructured data such as emails/documents/files. For example, Boards could start asking questions such as, “can you tell me how many documents contain “top secret” IP that, if leaked, would cost the company $X of R&D investment over the last X years?”
Some estimates suggest that the average business user sends/receives 121 emails per day, which I am guessing seems low for some of you reading this. Another estimate suggests that in 2014, 500 billion new Microsoft Office documents were created. Most of this information has value which the organization needs to measure and track. While that may seem daunting, the good news is that getting started is much easier than one might think:
- Don’t recreate the wheel: Many organizations already have documented ways to value data in their information security policy via their classification schema. If you do not already have a classification schema, creating a simple one – 3 or 4 classification labels (max) – is all you need to get started. For example: Public, Confidential, Internal, and Restricted.
- Identify low hanging fruit: There may be data in your organization that you already have assigned a value to and want to track. Perhaps it is a secret project that a team has been working on or maybe it is customer information that must remain confidential. Whatever the data might be, consider opportunities to identify it with a label at the point of creation (automatically or manually). Keep legacy data identification projects as a follow-on initiative as this data is typically of less and/or diminishing value. Trying to include both new and legacy data in the initial project can often overwhelm your teams.
- Analyze and assign monetary value: Once your data has been identified, analyze it so that you can assign value based on the classification and sensitivity. For example, maybe every email that contains the secret project name “Martian2016” is given a value of $X based on estimates that if these emails were leaked, it would cost the company $X in market share.
- Refine and report to your stakeholders: It is easy to see how quickly assigning a monetary value to your data could create some large numbers. To prevent over-evaluation of the data’s value, once the initial analysis is complete baseline these numbers against other metrics, such as project cost, market opportunity, cost of a data breach, etc. This will help to ensure you articulate a well-rounded measure of value to your various stakeholders.
I would love to hear your perspective on this topic. Are data value projects gaining prominence in your organization?