What Large Orgs Can Learn from Domo’s Security Experts

When it comes to software security and privacy concerns, Niall Browne and Ryan Taylor are two of the most plugged-in professionals you will find. Niall is the Chief Information Security Officer at Domo. Ryan is the company’s Chief Privacy & Data Protection Officer.



As the adoption of digital technologies
becomes more widespread, and talk of more regulatory oversight in the U.S.
grows louder, I got their thoughts on a number of issues surrounding this
increasingly important topic for all businesses, but especially large global
organizations.



Q: What are the greatest data management challenges facing large organizations conducting business across the world?



RYAN: Large global organizations are still
very challenged by trying to understand what data is actually relevant to their
organization, where that data resides, how to scrub it so that it is reliable,
and how to bring it together to create an accurate view of the organization
that the right people can use at the right time to make good business
decisions.



They are also challenged by keeping up with the constantly changing face of privacy law. In the U.S., organizations are trying to understand the implications of the California Consumer Privacy Act (CCPA), which goes into effect January 1. In Europe, organizations are still refining their compliance with the General Data Protection Regulation (GDPR). And in certain parts of Asia-Pacific, companies are working to digest recent updates to privacy and security laws.



Then there’s a third challenge: How to
maximize the value derived from large volumes of data while also protecting the
rights of individuals with respect to their personal data. Every organization
is different, it takes a lot of balancing get this right, and it’s definitely a
work in progress for most—if not all—large global organizations.



Q: Sixteen months in from the GDPR rollout in Europe, what are the biggest changes you’ve seen in the way large organizations are governing their data? Have they been positive?



NIALL: Prior to GDPR,
many companies implemented a checkbox approach to data privacy. While they may
have been able to check the box for a specific data privacy control, they were
unsure of how the control was actually implemented. This resulted in a
swiss-cheese data privacy model with lots of control gaps and internal teams
unsure of what they were supposed to do. GDPR and the associated fines have
resulted in companies now making data privacy a priority, rather than a future
promise.



RYAN: Since the GDPR went into effect,
companies have spent considerable time and effort reviewing their data
collection and data management practices, and working to better reflect in
their policies and practices the interests of individuals with respect to their
personal data. That improvement comes in the form of greater transparency and
communication, allowing for individual choice, and more thoughtful data
management practices generally.



Q: Even
large global organizations face inherent issues of IT and data governance. Do
you think this is a common trend across enterprise organizations that have
legacy systems in place? What could they do to be better?



NIALL: For data privacy to be effective, it
needs to move from abstract statements in unread polices to being part of the
company’s ecosystem. The issue is that legacy tools often times don’t support
the data privacy access controls needed to protect users’ data in this new GDPR
world. Retrofitting these legacy, on-premise tools has proven to be very
resource-intensive at best. Organizations need their data on platforms that
have been designed with data privacy in mind. Otherwise, they will be left
behind and subject to substantial fines.



Q: When it comes to keeping customer data safe, how can organizations ensure no database is exposed, beyond security systems being up to date?



NIALL: Organizations need to embed security and privacy into their business functions. At a practical level, this means that Privacy Impact Assessments (PIA) need to be completed for a significant change, such as for the deployment of a new tool, platform or data process.



RYAN: The single biggest issue that leads to
incidents involving exposure or misuse of confidential customer data is human
error. All organizations need to make sure their policies and procedures
related to proper data usage and sharing are up to date and reflect the latest
legal requirements. Once the organization has the right policies in place, they
need to spread the word by conducting regular privacy and security training of
their employees, their vendors, and their partners.



Q: A lack of data governance can lead to shadow analytics, where employees take matters into their own hands and download data outside of approved systems to analyze it. This creates multiple threats, from a cybersecurity standpoint to multiple siloed and out-of-date datasets. What types of technologies can help organizations manage this?



RYAN: This is a very real issue. All employees
need information to be successful in their roles, but so many have difficulty
locating and accessing the relevant data. This is often driven by fear. Without
clear policies and procedures to follow and without reliable technologies to
facilitate, the people responsible for that data fear making judgment calls
about who can access it and how to give it to them, so they just lock it down.
This leaves employees who need the data scrambling to get the information some
other way. Technologies that provide the ability to share data based on clearly
defined policies can go a long way toward resolving those fears and empowering
people with needed information.



Q: How
does Domo’s self-service offering help minimize cybersecurity threats and risks
to sensitive client data?



NIALL: Domo allows customer data to be moved
from unsecure spreadsheets and one-off databases to a central, auditable data
platform that has been designed to meet GDPR requirements. Customers now have a
central location from where to self-manage their data lifecycle and access
requirements in full compliance with their global data privacy requirements,
including GDPR.



RYAN: The organization’s data within the Domo platform is protected according to rigorous security standards. Domo completes numerous security audits, assessments and compliance requirements, including independent third-party network and system penetration tests. Domo has also achieved certification for ISO/IEC 27001 and ISO/IEC 27018 . In addition, Domo provides security self-service functionality that customers can use to layer on security features such as single sign-on, multi-factor authentication and customer-managed encryption keys. Every additional layer of protection employed by Domo customers is another step toward mitigating the threat of unauthorized third-party access.



Q: New data regulations (such as GDPR) and changing laws on user cookies have presented challenges and opportunities in the data privacy sector. With compliance increasingly important, how has Domo leveraged its platform to keep its customers safe and compliant?



NIALL: Domo is a data platform designed to enable customers to meet their global data privacy requirements. Domo customers include 40% of the Fortune 50 companies. This rich tapestry of diverse customer requirements has enabled Domo to simplify data privacy. We do this by providing customers with the self-service capabilities within the platform so they can safely manage the lifecycle of their data.



RYAN: Once the data is in the platform, data
stewards can implement technology-driven access policies through personalized
data permissions consistent with their organization’s own policies and
procedures. In other words, they can use the Domo platform to enforce the
organization’s rules governing that data, even if those rules vary from region
to region. The Domo platform allows data stewards to manage access and use of
the organization’s data while mitigating the risks associated with such access
and use in a way that isn’t possible when dealing with disparate, separate data
repositories and technologies. The Domo platform allows data management at
scale, from global policies down to specific access by the individual.



Q: What
are the biggest trends in big data and privacy at the moment? How will they
evolve over the next 3-5 years?



NIALL: The conundrum is that data privacy requirements will get stricter, more data will be created, and more people will need access to this data in the future. A solution can’t be achieved if the data remains in spreadsheets, emails and legacy tools. The solution is to centralize the storage and management of this data, so as to allow real-time access while ensuring that strict data privacy requirements can be met. Those that don’t learn this lesson quickly will face a rocky data transformation road ahead.



RYAN: A really interesting current trend in big data and privacy is the use of data in artificial intelligence and machine learning. With AI and ML, data—often in the form of personal data—is analyzed to generate unique insights and to influence machine decision-making. One of the key considerations with AI is just how much the use of personal data to create the insights or decision-making by the system conflicts with an individual’s right to control his or her personal information. At the moment, there are more questions than answers. Over the next 3-5 years, we will of course continue to see advancements in the use of AI. At the same time, I expect to see governments and regulators establish more defined boundaries around AI data ethics and privacy. Hopefully, the coming regulations and laws will be consistent worldwide.



Q: Do you think technology in general will develop
quickly enough to handle new volumes of data and to meet privacy regulations?
Or will platforms and organizations alike need to work harder to manage them?



NIALL: This is not a technology problem. Many of the central data platforms required to meet these strict data privacy requirements already exist. Organizations must now make the necessary business decisions to keep their customers’ data safe and protect their reputation.



RYAN: I think technology and privacy regulations will likely always follow a little behind the data being generated. It is easy to create data. It is hard to figure out all that is possible to do with data once we have it. And it is even harder to figure out the right thing to do with data once we have it. Organizations will always be working to keep up with the new volumes of data at their disposal. The post What Large Orgs Can Learn from Domo’s Security Experts first appeared on Blog .