Is data governance or information governance responsible for managing spreadsheet and other EUC risks? Does IT own it or the line of business? The short answer is: both IT and the line of business have accountability. Here are 3 tips to cooperate and reduce these risks.
Spreadsheet Risk: Data Governance or Information Governance? 3 Tips to Reduce Your Risk
There are numerous, well-publicized incidents of errors and data breaches associated with the use of spreadsheets. Almost every company has experienced these issues privately, but fortunately for many, it never made the headlines.
Do you know who in your company is responsible for managing spreadsheet and other end-user computing (EUC) risks? Is this about data governance or information governance? Should IT own the fix or the line of business?
At CIMCON, we get these questions quite a bit. The short answer is: both IT and the line of business should be accountable.
Spreadsheets and other EUCs tools firmly straddle the boundaries between information governance and data governance. On one hand, Excel is universal. Everyone has it and the business relies on it to operate mission-critical processes. On the other hand, a spreadsheet may access data from enterprise systems and/or it may be a critical data transformation tool in and of itself.
It really isn’t a matter of who will control the solution or who owns the risk. Experience shows the strongest results come when IT and line of business join forces.
Here are the top three areas where data governance and information governance teams can intersect to provide effective mitigation of spreadsheet risk:1. Identify confidential data/information
Regardless of whether you use your internal data to prepare a quarterly financial report, or apply proprietary trading algorithms to public data, the spreadsheet that contains them is a confidential, business-critical asset. The challenge to the IT team is the unstructured nature of data stored inside of Excel (and other Microsoft Office files). It is very difficult for IT systems to recognize whether a spreadsheet contains sensitive information or not.
That’s where the line of business comes in. They can provide context to what is mission critical and confidential, giving insight into where deeper levels of protection are needed. You might find that the scope of managing spreadsheet risk isn’t as broad as feared: in a typical company, less than 1% of the end user computing files account for 80% of the risk. There are tools to identify those files.
2. Protect business-critical information assets
On the more IT-centric, data governance side of the equation, traditional IT security infrastructure is a sound, foundational starting point. But with spreadsheets and EUCs, you need more. Technical controls at the data level, such as data classification or data loss prevention (DLP), are broad brushes that aren’t suited to draw the fine lines of control needed within critical spreadsheets and models. For example, if a spreadsheet is used as an integral part of a critical business process, it is prudent to have cell-level locking of specific formulas even though multiple people need access to refresh the data and generate results. Having that fine degree of control and managing it at scale requires cooperation between both sides.
3. Add value to the business
It’s no joke that certain applications are end user controlled for a reason. The flexibility and speed that comes from using spreadsheets and other EUCs is highly valued by the people who use them. Accordingly, any governance framework, whether data- or information-centric, must add value and not inhibit that flexibility. No one wants to be labeled “business prevention.” Accordingly, controls should be automated and transparent to the end users. Another value add is to automate documentation – this will help the business and win over hearts and minds.
Remember, only about 1% of spreadsheet files can have a significant negative impact in the event of an error, inaccessibility or data loss. Don’t let the governance of these end-user-controlled files gets lost in the gray area of overlap between data governance and information governance. Mitigating these risks is a challenge that can easily be solved. It’s easier than you think!
Do you know what files constitute the 1% of your greatest risk?
Learn more about information risk in spreadsheets & EUCs and what you can do about it In this Spreadsheet & EUC Information Security white paper.