Webinar

Why Technology Alone Won’t Protect Your Customer Data

Defence services

With customer data breaches firmly in the spotlight, there’s never been a better time to ask the tough questions about customer data management. Watch this light-hearted yet hard-hitting webinar on customer data management or read the transcript where Robinson Ryan’s General Manager James Bell interviews global expert Lloyd Robinson on topics that are on everyone’s minds – including:

  • What enterprises need to be asking about their customer data management to reduce security risks
  • The concepts of data shakedowns and data promiscuity
  • How IT governance and data governance approach customer data management data differently
  • What needs to happen to rebuild trust in data and identity
Play Video

Read the Transcript

James Bell:

Welcome everyone to our webinar Myth Busting with Lloyd Robinson: Why Technology Alone Won’t Protect your Customer Data. I’m James Bell, General Manager here at Robinson Ryan. And we’re a data management consultancy and training company.

As you might know, Lloyd is a globally recognised authority on data. He’s our founder and director, published author, keynote speaker, trainer. It’s a mouthful. A contributor to the DAMA International’s Data Management Body of Knowledge. Across four continents, you’ve delivered I think about a billion dollars’ worth of change.

Lloyd Robinson:

It’s probably reasonable.

James Bell:

Lloyd, data, it’s been in the news of fair bit recently. There’s been some pretty significant data breaches recently. Let’s cut to the chase. Why is the failure occurring, and do we need to focus more on cybersecurity?

Lloyd Robinson:

So cybersecurity is obviously important, James. But to some extent, when you just focus on cybersecurity, you enter into sort of a technology arms race. And that can’t fix the problem.

I was watching an old James Bond film the other day, and the baddies are trying to get into Fort Knox. The whole thing’s set up. And it’s a cliched plot line, like the Oceans films all have the same plot. There’s always a technology person explaining how difficult it is to get through the front door. They stand in a white coat, preferably, explaining the unique combination of triple badge locks and biometric tests, and weighted platinum, and stainless steel door that takes the entire screen. No one can get in, they explain.

But the problem is that every film, the safe in every film is built over a disused sewage system. And the plans for those are reasonably publicly available. And so they navigate under the safe with a modest effort drill through the floor. And of course they still need to beat the laser and air monitoring systems, but bubble gum and gymnastics solves that problem, right? They’re sort of thinking like that. They’re asymmetric problems. The cost to the organisation increased faster than the costs to the baddies. So these solutions become unsustainable.

James Bell:

There’s an interesting couple of phrases that you’ve used there. So you’ve talked about a technology arms race. You’re talking about an asymmetric approach. And it’s an interesting analogy. Because I’m sure like many people, you mentioned the word safe. And the first thing that comes to mind is that massive door that takes about five people to move.

But if the safe is not as secure as we think it is, what’s the driver of risk? Is it linked to the themes that we’ve been talking about recently about data promiscuity and how data just seems to love to get around?

Lloyd Robinson:

Yeah. And if you start off and said, “We’ve got our data, and it’s in one safe, and that’s all there is to it.” But the trouble is often, our data’s in many places. Last year, my bank of 25 years rings me up and they say, “Would you like a company credit card?” And I go, “That’s actually something that I could use. So fantastic. And so we had a conversation, it was recorded, so therefore I thought the contract was done.

The next minute, an email arrives with five forms in it, including a full credit check and history. And so I send off my phone financial details, I sent off my passport, I sent on my driver’s license, all certified. Takes me about three to four hours to get the whole thing together and emailed on an unsecured email back to them.

James Bell:

So let’s set that up. So give me an estimate of how many copies of data were there.

Lloyd Robinson:

So with my five forms, and my emails, and a couple of little clarifications, and a couple more calls, I reckon that my PI data is in over 50 places. Some of them are my ISP and my email provider. Some of them are there, internet intermediaries, etc. But at least 30 places would be in the bank itself that are relatively discernible by customers. So I can actually hear them load up documents, “Yeah, yeah see that form that you sent us on this date.” Read what I said. They can read their application screens. They can notice the error. I know that it’s got into an AI application because they sent me letters. So I can see that it’s at least in 30 places.

James Bell:

So 30 places within the bank. Probably about another 20 odd elsewhere. To coin a common phrase, more copies, more problems. Seems like the more copies we have, the more problems we seem to see.

Lloyd Robinson:

Yeah. And so asking my bank to secure the data in their call recording systems, their document management systems, their credit card processing systems, their data warehousing systems, their AI systems. Frankly, 50 plus places for every piece of data, it cannot work. It’s ungovernable. An organisation can’t secure 50 plus places. So they take shortcuts

James Bell:

Systems. You’ve mentioned quite a few of them there, and then immediately gone straight to ungovernable. What is the main difference between let’s say IT governance and data governance?

Lloyd Robinson:

Yeah. Often IT governance tends to focus on the container. So they’re the people in the white coats that tell you the 37,000 locks that they put onto the safe. The technology person tells me the way the data’s secured. Of course there’s gold bars line on the floor outside, but they’re not interested if it’s not inside their safe. It’s not their scope. Whereas data governance focuses on the data. So we’re interested in the contents of the safe. At some level we’re interested in the safe, but it’s really where is that contents.

And so if I have my data in 50 places, it’s just not feasible to secure that many. So some safes are dodgy or even missing. I mean we could use a security idea. I just simply have too many attack surfaces. We started thinking about the problem of securing a single safe, and then we challenged ourselves to problem 50 times that size.

James Bell:

And I’m guessing that not every safe is going to be the same size as that Fort Knox safe. But that concept of containers, and safes, and attack services, it seems to be missing in the broader conversation of what’s happening in this post data breach world. So we’ve got IT governance from a governance perspective saying, “Our safe over here is secure,” but data governance is saying, “Well, but you should be concerned about every place that copy is located.”

Lloyd Robinson:

And so the question IT governance might say, “Is the data securely stored and transported to a stakeholder?” Whereas the question data governance says, “Should I be sending this data to my stakeholder at all?”

Let’s see if we can summarise this. Everywhere your data is located is an attack surface. Always simplify your data. If you have data you don’t want to breach, don’t keep it unless you absolutely must. And consolidate your data. It’s impossible to secure multiple attack surfaces. You’ll run out of money, expertise, and management.

James Bell:

So there’s a lot there. And I think we should probably come back to that in a little while. I just want to go back to the concept that you’ve touched on there. It seems to me that the difference between IT governance and data governance is that everyone’s responsible for data. And this is an exceptionally responsibility driven approach. And I can’t think of any media coverage where the concept of responsibility for every single piece of that data and every single copy is located. So what does that mean in terms of those pointers that you’ve just spoken to? And how do we move forward here?

Lloyd Robinson:

So in the first one, every place your data’s located is an attack surface. I want cost structures that at most grow linearly with scale. So as I make things bigger, I don’t want my costs to grow at the same rate. And so adding more security appliances and apparatus on a safe is probably necessary, because I am in some sort of technology arms race. But I need to also consider how to make the safe more structurally secure.

So in a couple of the recent breaches, when you broke through the first barrier, it seems like you can have access to anything you want. And so we can start thinking about honeycombing the data or tokenising the data and putting it in other places, more secure spaces. So what it does is even if there is a breach, then it’s less catastrophic. So we can look at things like government identifiers being in a separate place for most commercial organisations. And if they think they need it, then we should tokenise it.

James Bell:

So let’s work through that. It’s an interesting concept that an attack surface, because the surface implies that there’s a fairly large, broad area of being able to penetrate. And that takes a lot of effort. And we’ve got the concept of one single safe here that let’s say your bank is pretty focused on securing. But every other attack surface that’s not necessarily within the bank system is an area where people only need to just get through once, and they’ve got a copy. And you were talking about asynchronicity before. Perhaps we only need to successfully attack and penetrate one.

Lloyd Robinson:

Yep, yep. So the first idea is that if I make it more difficult to get into everything, in my head at honeycombing makes sense. So actually my data’s in a series of cells which you can get from one to the other, but you can’t get all the way through easily.

The second idea though of moving into the simplification of data, don’t store the stuff you don’t need. I’m travelling for work, I started to do that again after COVID. And I went to the hotel, and they collected my money. And then before they would give me the room key. So they’re sort of standing there with the room key, and then the data shakedown starts. So it’s like, “Give us your driver’s licence, give us your date of birth, give us your home address. Unless you give us all your data, we’re not going to give you the key,” is the implied thing.

So in their minds, I think they need the data. Because once, someone left their socks behind so we had to mail it back to them. So they collect all this data. And the trouble is once they’ve collected it, they need to keep it forever. So they have my driver’s licence. Everybody’s going to try and attack them forever, and they need to secure that.

So the question that we should really start asking ourselves is does an organisation need this data? And if you don’t have it, then of course that’s another way to get around the cybersecurity breaching issue.

James Bell:

By not having it at all.

Lloyd Robinson:

Yeah.

James Bell:

So we’ve spoken about that attack surface and trying to find ways as an organisation to reduce the number of attack surfaces. You’ve mentioned also looking at ways of being able to simplify where the data is located, and for how long it’s being stored. And that’s where that honeycomb or token kind of approach is where your kind of thinking is a great way for organisations to be able to start plotting a course forward.

It’s difficult enough to store data in one place. We’ve established that. It’s difficult enough to manage every single place it’s stored. It’s difficult enough to manage all of the data that needs to be collected by organisations. And I say needs loosely. So what’s next? I guess you’re talking about consolidating data in some respects?

Lloyd Robinson:

Yeah. So that was the third thing, consolidate your data. So I often think to change the analogy, it’s sort of a way that we think about mining sometimes. But let’s come back to this data spread through hundreds of different places. Some are in proper safes, some are barely secured. Many enterprises have multiple generations of systems storing the same data. And when we write a business case, I’m involved in one right now to replace the system. It only contains the money to implement the new system.

So what they’re going to do is they’re starting with N systems, and they’re going to end up with N plus one. And the removal of a legacy system is a major expense and hard to sell compared to a bright, shiny new system. And we’ve been doing this for my entire career. So I can remember writing consolidation business cases and having them knocked back 30 years ago for a million bucks, and now it’s a hundred million. So we chronically undervalue the cost and expertise required to keep data. And like a disused mine site, we don’t want to pay the restoration costs. No one wants to pay for the damage. I just want to build a new mine.

James Bell:

I like that mine analogy and the restoration concept. Because we were speaking earlier before about the concept of responsibility, and making more people responsible for more of the data. What’s collected, shared, transported. When you think about that in terms of what you just said was the data that’s generated and the data spread, there’s a lot of data that seems to be collected. And it seems to be collected because there’s a State or Commonwealth requirement.

So what about government’s role in all of this? A lot of particularly sensitive data is handed over by people. I like that term you used before the data shake down, because organisations are required to collect it.

Lloyd Robinson:

Yeah. And so there’s an interesting piece of…. I think it’s an interesting piece of economic reform. So let me start with a story. 400 years ago if I wanted to send a message, I had to pay for my own horse. I had to buy a horse, I had to keep a rider. And then I could give them a message and they would send it, they would take it to my friend, they’d ride their horse, and take it to my friend, and they’d come back. And so that might take a day or two, and then I’d have to rest the horse and rest the person. So maybe they could do 200 messages a year. And if you did the mass in today’s money, it’s probably $500 to $1,000 a message to deliver. And then the government created this idea called the postal service and they said everyone has one mailbox. And so a message cost says, what a buck is it?

James Bell:

$1.50 I think.

Lloyd Robinson:

$1.50. And people complain about the cost of the post, but it is a double order of magnitude cheaper than running your own postal service. So let’s think about identity in the same way. The approach that we’ve taken today in Australia is that every individual enterprise has to store its copy of government identifiers. I think it was a media story this week or today, I can’t remember, about how basically all government identifiers for every single person will be in the government domain. So it’s a failed expensive impost on the economy.

And there’s some private companies that are offering the service. But at the moment the trouble is I want to talk to someone. And they say, “We don’t handle identity, our partner does.” So I have 500 passwords in my password manager. I can’t see how I’m not going to end up with a thousand passwords in a password manager.

James Bell:

It’s interesting that you’re talking about identity. And I think that what’s brought this home for a lot of people is that in some ways, there’s a loss of identity in this, and that’s a very personal thing. And we’re seeing a really strong reaction. But I’m not quite sure I get the connection between what we’ve been talking before. Although I do love the old school cool kind of approach. Just kind of bring it together. And particularly in terms of that concept about identity management.

Lloyd Robinson:

Yeah. There’s a couple of governments that are thinking about this differently. There’s a poster child, Estonia, who has established a central identity system. And it’s under citizen control that I can determine who has access to my identity. Singapore also has an example.

But I think there’s also ways of imagining this, some sort of decentralised citizen-led model. Because what we essentially do is go have a big centralised identity system that is going to be the most exciting place for the baddies to attack in the whole world. The biggest of the biggest safes. So sort of using blockchain ideas or whatever, it feels like that we can imagine our way through this. And a lot of the building blocks are currently in place.

James Bell:

So we’ve spoken about identity management, and you mentioned a couple of identity management providers. Quite often some of those are free. And there’s always the question if a service is free, then who’s the product? And generally yes, if it’s free, it’s you. And you’ve been talking about some interesting overseas models, and I think we should probably come back and have a bit of a chat about that in a little while. But how difficult do you think it is to actually establish that kind of approach where governments are looking to hand identity management and therefore data sharing back into the hands of citizens?

Lloyd Robinson:

I think some extent, some of the government thinking in Australia’s been about how do we provide access to government services. So it’s been the government acting like another provider of service. As distinct from what they did with the mail service, which was to create a central messaging backbone to the entire society.

So I think rethinking some of these ideas… And I agree with you when people say, “Let’s go and use a free service.” Immediately go, “Who’s the customer?” And it’s usually not me and if we’re talking about identity. So to some extent, where I would go to first is it feels like some sort of government social problem that we can work our way through. It’s not something that the private sector would’ve ever invented the postal service. But many of the pieces in place. So I think it’s not necessarily a big body of work here

James Bell:

In terms of that body of work though, I think we’re seeing a growing awareness of data that we probably wouldn’t have expected previously. Because it seems like a sensible idea that in order to make sure that bad people don’t get access to core parts of the economy, that we make it harder for them by being able to trace back people who do things that probably wouldn’t be accepted in broader parts of society. But in terms of that decentralised model, in terms of government, I’d really like to kind of build out from that. You mentioned the Estonian model. And I’m not quite sure that many people would be aware of that.

Lloyd Robinson:

I’m not Estonian, so I haven’t signed up to it. So from my reading of it, effectively the government has established a centralised identity system. And then it will only disclose tokens to any part of the economy. So if I sign up to a bank or something, they say, “What’s your identity, Lloyd?” And I say, “Go and talk to this.” And it goes, “Okay, now we know your identity.” It’s taken all of that data, and all of that processing, and all of that risk out of the bank, and centralised it. And it also means that later on if I go, “Well, I’ve stopped working with that bank, so I want to take my consent away,” then I have the capacity to do that as well.

So it puts the power of identity back to the individual. And I suppose there’s economic value in reduced investment at every single organisation level, enterprise in the economy level. But also, it creates a society where I don’t have to go to a hotel and have a data shakedown. So you now have to hand over all this stuff, or we won’t hand you a key.

James Bell:

So that’s an interesting concept, because it goes to the heart of why I think this is really confronting for a lot of people. Because we’ve been operating an environment where it’s generally made sense. We’re generally okay with it. Yes, it’s a bit of an inconvenience. But now there’s that fundamental loss of trust that’s associated with core parts of our identity no longer being within our control.

How far do you see this potentially going in terms of a government response of being able to rebuild that trust in terms of identity and data protection here in Australia? And what do you think the implication will be for organisations who are probably desperately trying to avoid being front page news at the moment?

Lloyd Robinson:

Yeah. I can remember the Austral card. And then two years ago we had the national health thing. Australians are very suspicious of centralised databases. But also, I think the public conversation has been pretty lightweight. So we now find our place where my identity is available freely on the web and the government has mandated that my passport number should be in thousands of places, which means it’s only a matter of time before it is.

So I think somehow, we need to try and adjust the public discourse. And that’s probably more expensive than the tech. It’s going to take us longer to have that conversation to move to a point where you don’t trust a centralized identity system, but you trust your bank, and your utility, and your solicitor, and all your other intermediaries that they won’t breach your passport number. That’s an interesting sort of question.

James Bell:

It is. And I think it goes back to one of the tips that you offered previously about trying to think about your data as an organisation differently, and thinking more importantly about data from your customer’s perspective. Because at the end of the day, the implications of what you’ve just been saying is that every organisation should be responsible for every copy of its customer data that it has requested be handed over and therefore shared amongst the what was it, 50 or so examples, just of one interaction with your bank.

Lloyd Robinson:

Yes. The trouble with data is that we call it an asset. But it sucks you in because it’s free to copy. So it starts off free, and then the next minute you’ve got a multimillion dollar system. And then you’ve got another copy of the data, but it’s sort of still okay. And then you go, “I want to do something else. The data’s free to copy again, so I’ll just do that.”

And so it’s a weird asset because most other assets, if I want to build a new building, it’s going to cost me a lot of money. So I don’t tend to build new buildings without proper planning. But with data, it doesn’t cost me anything. So I can just copy it around, I can put it into spreadsheets, I can do what I want.

So the discipline of data or the challenge of data is it’s discipline in an abstract. But what we can say is that the costs will be reduced. We can see the costs now appearing. I can see the costs to the copying of my identity into hundreds of places in the economy.

James Bell:

And it’s that data promiscuity. Data wants to copy itself. And it wants a copy of itself to go somewhere else that where it will once again be copied again.

Lloyd Robinson:

Yes, yes. And so that brings me back to those three principles that we talked about. Everywhere your data is located is an attack surface, so make those attack surfaces… You can use technology, but also the way that you think about it, you encrypt it, you tokenise that data. And then the second idea is always simplify your data. Don’t collect that data if you don’t need it. And then the third one is start to understand that the number of places in your enterprise where data is, and try and find business case to consolidate that.

And then I suppose to finish that, and then I think the government had a role in the postal service and creating that idea of message delivery, and created double or triple order of magnitude reductions in cost, and increase in security. So I think there’s an identity agenda there that we can also consider as a society.

James Bell:

Interesting. Some really good tips and takeaways for organisations to be rethinking about the true asset value of their data and the cost of that asset being released into the public domain.

Let’s hand over to our audience questions. You’ve mentioned your top takeaways. If you’re sitting in the seat of an organisation and the CEO walks in and says, “It’s not happening to us,” how would you take those three points and takeaways, and turn them into real actions?

Lloyd Robinson:

So I think there’s three separate aspects. So if I’m working with data governance, the first thing I’m going to do is say to my IT group, “I want the safes upgraded. I want you to prove to me that your safes are,” whatever best practice means. The second thing I’m going to direct is not to the IT group but to the business. And I’m going to say to them, “We’re not collecting as much data next year as we are now. Figure out what we don’t need.” “There are lots of stats around that are saying we’re collecting way too much data to execute what we’re doing. And so I want you to simplify the data,” and that will start to appear in my technology systems over time.

And then the third thing that I’m going to say is, “Why have I got so many copies? And maybe it’s comes back to this mining business case?” The idea of restoration is not a cost I want to pay. But I’ve got all these copies of data, and I’ve avoided dealing with the cost of keeping them, because that’s not very expensive. But all of a sudden this may become expensive if it’s breached.

And then to add onto the government piece, part of my data governance as an organisation might be to lobby government to say, “Why am I doing this? Why are you compelling me to keep a passport number?, which I thought was supposed to be a reasonable secret. And you are forcing the cost impost on my business.”

James Bell:

And I think we are seeing some change there. Victor Dominello, was it this week or last week, posted about a new initiative about how they’re trying to manage Working with Children Check, which I think is starting to demonstrate that appetite.

But my personal takeaway from all of this is that technology is a tool, and technology alone cannot possibly be your sole cybersecurity strategy. So I think it’s a pretty good indication about just how organisations need to be factoring in data management as much as they are, they’re technology focused on cybersecurity.

So thanks very much Lloyd. Let’s hand it over to the audience. If you are sitting in there and you’ve got some questions for Lloyd, please feel free to drop them in, just while we’re waiting for some people to type.

I’ve got one. I love to talk about technology as a tool. It’s a tool that over time, we train our brains to be really good at music. But it then also necessarily narrows our focus. How have you successfully coached organisations or teams or executives into shifting the focus away from just focusing on the tool and its outputs, and more broadly the purpose of the work that’s doing? And I guess in the context of what you’re saying before, if we don’t need to collect 100% of the data, how do we use the tool more efficiently so that we’re not doing all of that extra work?

Lloyd Robinson:

Yep. I’ve been involved in great big revolutionary programs, said, “Let’s replace all our IT in our organisation, and we’re going to do that in the next five years and spend a lot of money.” And so to some extent, you get given those all five times in your working life. And they’re fun to do. But I suspect most of the work is actually in the daily grind.

And so it’s the tool or the technology tool comes from… I suppose the question that data management asks is how are we going to use this tool and what are we going to use it for.

So I think as a species, so I don’t think… This is not just an IT issue, this is a species issue. We’ve always invented tools and then tried to figure out how to use them. And I suppose part of the conversation needs to be more emphasis. And I think this is where data governance and data management takes the conversation is into that uncomfortable place of, “Well, what are we trying to do? And why are we trying to do this? And why does our organisation need this data?”

And to focus on those questions and not be distracted, I was with a client a couple of years ago. And I listened to a chief data officer for about 15 minutes, and I didn’t hear a non-technology thing. We’re deploying a new platform, we’re deploying this, we’re deploying that. And after I listened to all the dashboards and analytics, and all the data scientists that they had employed, I sort of said to them, “So how are you going to actually start a data conversation, a tech conversation?” And they went, “I have never thought of it like that. I thought my job was to deploy a data platform.” And you go, “Well maybe, but”-

James Bell:

What’s the point of having a great platform if you’re putting junk data in?

Lloyd Robinson:

Yeah. Yeah.

So you have a CIO. Their job is to deliver a data platform, let them do that. That’s an important thing to do. But your job is to talk about what’s in the data platform and why it’s in there. Of course. And so the longer that you don’t talk about that, the more likely is that you’ll take copies and fill it with junk.

James Bell:

And just get stuck in the tools.

Lloyd Robinson:

Correct.

James Bell:

We’ve got a couple of questions here. Should there be laws to force companies to expunge data they have no further need for?

Lloyd Robinson:

I have a personal philosophy that compelling people to do things tends to get their backs up or whatever.

James Bell:

Well, particularly in Australia.

Lloyd Robinson:

Yeah. So I think companies should discover that, right? But potentially coming out of the Optus conversation, there may well be some compliance that we need to start getting our mind around. I think there’s already some of that, but maybe that’s the way to do it.

But I suppose to some extent, it feels like you’ve taken a shortcut. So instead of an organisation sitting down and saying, “Why do we keep this data and what’s the real cost of it?” We’ve sort of gone, “The law requires us to delete it, so we deleted it.” If organisations are going to start to get the idea of the value of their data and their value to building a proposition to the market that makes sense. If you’re in private sector or in public sector, it’s about maintaining value to the economy or injecting value into an economy. The legislative angle is interesting. But yes, as I said, sometimes it just feels like it just means that we don’t have to think anymore. People just tell us what to do.

James Bell:

It’s become a habit. And that’s probably a good segue into the next question we’ve got from the audience. I think one of the things that we’ve slowly started to realise, and your example was also along the same lines. Why are we constantly having to hand over our identity when people know everything about us anyway? Well, particularly government.

So the example that we’ve got here is applying for a director’s ID. And today is the last day. And there’s lots of issues with the technology platform because people have last minute panic. Doesn’t make sense. But even now, we’re still got to go through and submit the same information that’s already stored in our myGov identity and then have to reprove and reprove over and over again.

Lloyd Robinson:

Oh yeah. No, and I’m a company director. And when I saw the email come from, I don’t know which mob it is, I laughed because I went, “Seriously, we’ve just deployed myGov.” Which is the second or third identity system that we’ve deployed. And then we’ve just done a major government initiative, and we’ve invented a new number which everybody has to have. And so part of me is going, “How could we not?”

So I don’t know whether the technology is incompetent and it’s impossible to use myGov to deploy a director ID, or whether we don’t imagine it. Now it could be both. So we go, “We need a new concept directors, so we better create an ID for that.” So I don’t know how we get ourselves into this. It is it a tech problem that it’s inflexible and unable to deliver? Is it a concept problem that we go, “Whenever we’ve done anything, we create a new identifier. So let’s just create a new identifier.” They’re trying to solve a structural problem in our corporate register that there are duplicate directors that’s obvious from the outside

James Bell:

And stopping phoenix.

Lloyd Robinson:

And stopping phoenix companies. So the serious economic consequences have not been able to identify a director as a person, and not been able to identify a director as controlling multiple companies. And so I recognise that there’s an economic imperative to do that. I don’t understand why we created a new number. I’m sure like many people that go, “Lloyd, you don’t understand.” But I feel like I’m one of 23 million people that don’t understand.

James Bell:

And it doesn’t seem like it’s making sense anymore. And it’s almost that situation we find ourselves in where we’re asking questions about data that seems to be that we’re not really getting it. But data isn’t really rocket science, but it seems increasingly like it is rocket science.

We’ve got another question from the audience. When creating and implementing a data governance framework, what would be the key areas that you would focus on in order to ensure its success?

Lloyd Robinson:

So when I’m looking at data governance, I break it into two parts. I break it into the mechanics of data governance, which is setting up executive groups, setting up stewards, getting some basic training, setting up a regular meeting schedule. It’s all mechanics. It starts a process.

But the thing that always terrifies me in enterprises is the agenda. So if I’m involved in rolling out data governance, then I have to walk into a group of executives, and I have to explain to them how their data will be better in a year’s time. Or, they will be saying, “Lloyd, we’ve got problem X or problem Y.”

And so to me, the hard part – you can find someone to set up the mechanics of data governance. But to me, the hard question is really how are we going to find value? And to some extent, people’s complaints will be visible. But they may point at, “Well, we’ve just deployed an enormous IT system that stores your data 50 times. What are you going to do about it?” So what am I trying to do? How am I going to find value is the difficult part.

The second piece of it would then be start small. So instead of having your data in 50 places, have it in 49 at the end of the year. Don’t go for the great big, “We’re going to level the whole world and start again.” Try and find a piece of value. When I’m working with organisations, I’ll say, “What’s your favorite project at the moment?” They go, “There’s this great big project happening.” I go, “Can we improve the data in that?” And in a couple of places we’ve done that, people have gone, “That worked better than it did before. That project gave us more value than we were expecting.”

James Bell:

So I’m just conscious of time. And if anyone does have a quick question to pop in, please do now. Because we’ve got probably about a minute, a minute and a half left.

To summarise what you were saying, I think it’s really important. Because one of the things that executive leaders need to understand and add to their toolkit is understanding what we really mean when we talk about data. So to summarise, you’re talking about getting an executive sponsor who really is passionate about data, understands it, and how that’s going to impact the day-to-day work that people in teams perform.

The second is establish upfront why this is valuable, and being able to build that story so that people go, “You know what? That really makes sense, and I really want to be a part of it.” And the third is just pick a small piece of work, and prove that if we do this, it will make our lives better.

So it doesn’t look like any last questions have come through. Thank you very much to everyone who’s participated today. It’s been an absolute pleasure being able to have a chat with you, Lloyd. Fairly broad ranging and dare I say, esoteric philosophical elements to it. But at the end of the day, I think to wrap it all up, technology alone can’t solve cybersecurity.

Thank you very much for your time. For everyone in the audience, we’ll be posting elements of this. If you’ve got any questions, feel free to get in contact afterwards. If you’ve got any other questions that you’d like Lloyd or one of the other Robinson Ryan team to ask, please feel free to shoot us an email. Otherwise, have a fantastic day.

Lloyd Robinson:

Thanks very much, James. Thank you.

James Bell:

Thanks very much.

Chat with a data
management specialist
on 1300 553 877