Our world today is a huge-large-complex data generator; every single movement can be recorded somewhere, somehow; sometimes by ourselves, sometimes by others. A social interaction, a financial transaction, a school grade, a song listened to, a video watched, a professional experience, a place visited, a purchase, a success, a failure. Each of these generates small pieces of data that are electronically or physically recorded and that can be put together to represent something we do, are or were – in order to try to predict what we will be or what we will look for.
As social animals, we are constantly interacting with others, somehow, always connected: social networks, mobile devices, wearable computers, internet of things. Lots of data, lots of raw material is available, ready to be used, waiting for someone to explore it and find the unexpected, that thing you don’t know you don’t know, as Donald Rumsfeld once said.
This is what we know now as Big Data. In 2001, Doug Laney, an analyst with Gartner, defined this concept as follows: “Big data is high-volume, -velocity and -variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.”
We have always had data surrounding us, but it is the volume we have now, the velocity to generate it and have it available and the wide variety we can see, that creates the complexity and the specific attention this concept demands. These large volumes of data and the availability of the tools to analyze them, makes this a very special time and provides us with a fantastic opportunity to know things we haven’t known and to transform our way of thinking and our way of doing business. However, we need to recognize that this fantastic opportunity comes with a cost and that includes new risks that we need to be aware of.
Corporate Risk Management
If we want to properly take advantage of this momentum, we need to seriously think about including Big Data and Business Analytics on the corporate risk management program.
But which information security and privacy considerations do we need to be aware of when dealing with Big Data and Business Analytics? ISACA, the international association that puts together professionals specialized in IT audit, governance, internal control and information security has released at least four documents that analyze the information security and privacy implications related to big data:
- Five Key Questions to Improve Big Data Governance.
- Big Data Impacts & Benefits.
- Generating Value from Big Data Analytics.
- Privacy & Big Data.
I definitely think that by reading these documents, you will be able to better understand from a general perspective the information-related risks associated to Big Data and Business Analytics as well as understanding some of the recommendations offered by this association to deal with them.
By reading this document and the materials listed, you will know that there are different risks related to Big Data and Business Analytics. However, I would like to focus attention on the risks related to the implementation of a business analytics project and its corresponding lifecycle. David Roi Hardoon and Galit Shmueli consider the following in their book “Getting Started with Business Analytics” as the elements of the process that an organization would follow in a Business Analytics project:
- Goal definition.
- Understand processes.
- Integration requirements.
- Identify Areas for solution.
- Prioritize findings.
- Determine scope.
- Present findings.
- Solution preview.
But what if, for any reason, unauthorized persons get access to the data, applications and processes related to this? What if the goal is altered without noticing it? What if the processes documentation is altered while being reviewed or disclosed to a competitor? What if the findings are modified? What if the data managed includes personal data and someone unauthorized gets access to it and steels it?
These “What if” thoughts are some of the ones that make us think about Information Security and Privacy. By going to each one of these elements we will understand them and we will also analyze how information security and privacy are intimately related to them, to Big Data and to Business Analytics.
1. Goal definition. This element focuses its attention in determining what the business wants. Among the requests from the business side we could have the improvement of a process, the reduction of the associated costs, the increase of the operational efficiency, the reduction of very specific risks or maybe a mixture of two or more of these. The specific analytics goal needs to be defined here too: Will we predict something? Are we going to detect anything? Is there a need on generating recommendations for anyone to be followed? I think that a business will determine its needs based on its operation maturity. Internal control plays a key role here and Information Security and Privacy are essential in the definition of an effective internal control environment so, even before the goal for Business Analytics is defined, good practices on information security and privacy are required. Goals definition is the first element or stage on the implementation of a Business Analysis project and it is the best moment to think of the elements that will be key for the analytics project. This, definitely, includes protecting data.
2. Understand the process. Once the goal has been defined we need to fully understand the process or processes that are related to it, we will also have to know the information technology infrastructure and applications that are associated with the process under analysis. While understanding the processes and related technology, we need to recognize the controls in place in order to respect their operation, we also need to understand the risks they relate too in order to ask ourselves if any of them will need to be replicated or emulated once the data is extracted from the process and from the information technology infrastructure that hosts them to be transformed and loaded to execute the corresponding analysis. If the data is not at risk from an information security and privacy perspective in their original environment, we don’t want to create risks in the environment designed and devoted to the Business Analytics activities, we will not be able to do this if we don’t fully understand the process and related infrastructure.
3. Specify Integration Requirements. After understanding the process (or processes), we will be able to identify all of the related data sources. We need to recognize that these sources can be internal but they can also be external. As explained for the previous element we need to understand the risks and controls associated to all of the sources from an information security and privacy perspective. If third parties are related to some of the identified sources, we need to be careful in learning how the relationship is managed among our organization and the identified third party. We also need to know the controls in place and we have to look for reports (if they exist) like the ISAE 3402 SOC 2 or any ISO (like 27000 or 38500) certification to be able to have an idea of the effectiveness of the controls operation. This will help us identify our Company’s concerns on the risks that are related to the different data sources identified to support the Business Analytics initiative.
4. Identify areas for solution. This element is highly related to the design of the Business Analytics Solutions that may satisfy the business requirements. At this stage, the Business Analytics specialist will talk to the different stakeholders to present plans on how to approach the project, where and how it has to be focused. When reaching this stage, related risks should have been identified in the process(es) and data source(s) so this is the best moment to propose controls to be in place for the Business Analytics project(s) in order to properly take care of information security and privacy considering the specific needs the organization has.
5. Prioritize findings. On this stage, multiple potential analytics projects might be identified. The Business Analytics specialist is expected prioritize the list of projects based on the potential benefit to be produced for the organization and the expected complexity, however, another factor has to be considered here and that is the risk, not only the one related to the analytics projects itself but, the risk around the related process(es), data source(s) and infrastructure associated with it. This does not mean that a risky project cannot be considered or executed; this means that the Business Analytics specialist and the stakeholders are going to be conscious about this risk and will then define the necessary controls to reduce the risk to the level the company needs to take it to.
6. Determine Scope. By reaching this stage, the Business Analytics specialist has to define a realistic scope for the selected project(s) and this has to include the definition of controls related to information security and privacy. Considering that the Business Analyst has to predetermine projects expected ROI, outcomes and criteria of success and that the Business Analytics solution implementation will begin after this step, this is the last opportunity for thinking of the definition and design of proper controls and its corresponding key performance indicators, if this is not considered here, the value at risk will not be controlled and this can certainly affect the estimated ROI for the project mainly if any of the risks associated to it gets materialized. Considering one of the seven principles of Privacy by Design, we need to be proactive, not reactive; preventative and not remedial. It will always be cheaper to define and design controls in this stage instead of affecting the operation of the process to implement controls once it is in production and the business demands specific times to get responses.
7. Present findings. When sharing results with stakeholders, it is advisable to consider the information security and privacy key performance indicators related to the project. The team needs to know the results we are getting but they will also appreciate to know if we are taking control of what we are doing and reducing the risk to the expected level. If, as a consequence of the results presented, changes have to be made to the objective of the analytics project, the business analyst will definitely need to take care of the new risks that will be faced because of the new requirements and he will have to define the corresponding controls. As Hardoon and Shmueli say, it is crucial to gain the support of stakeholders throughout the project and this has to include risk identification, controls definition, design and operation.
8. Solution preview. Once the final results are reviewed, delivered and compared to the initial objectives, the information security and privacy key performance indicators have to be presented too. The stakeholders need to be sure that the results were obtained without creating uncontrolled risk for the organization.
As it can be seen, we cannot think of a Business Analytics project without considering information security and privacy. It doesn’t matter if we change our perspective; we will always find that information security and privacy controls are needed to be sure that the expected outcome is reliable and that it is not creating risks that the organization is not aware of and thus not controlling. We need to always remember that something can go wrong and we need to be prepared for that.