7/13/24, 12:20 PM Gartner Reprint

Licensed for Distribution

Data Security Governance Must Balance

Business Outcomes and Risks
1 November 2023 - ID G00796460 - 18 min read

By Brian Lowans, Andrew Bales

Security and risk management leaders must attain executive support for investment in data
security by focusing on business risk mitigation. This requires working with multiple
stakeholders on data security governance to agree on the optimal balance between business
outcomes and data risk mitigation.

Overview
Key Findings
Security leaders struggle to communicate data security requirements in a language that business executives can
understand, if the requirements don’t explain how data risks affect project objectives and business outcomes. This
results in insufficient budgets and staffing, and inconsistent and misaligned data security posture.
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 1/20
7/13/24, 12:20 PM Gartner Reprint

Dynamic changes to data storage and processing across on-premises and multicloud services are creating huge
challenges for security leaders to adapt and provide consistent and effective data security. This is impacted by
dynamic changes to shadow data, data residency, compliance and disconnected security controls.

Data security posture is inconsistent across the available data security, privacy, and identity and access
management (IAM) products and controls. This is because most cloud services and vendor products operate
independently with siloed controls.

Data security products deploy proprietary solutions for data discovery, categorization and classification. But these
do not integrate with other products and rarely integrate with data and analytics products that leverage different
data categorizations and cataloging.

Recommendations
Security and risk management (SRM) leaders responsible for managing data risks, in concert with data and analytics
leaders, should:

Use data security governance (DSG) to establish how data risks can be assessed in the language of business risks
and their impact on business outcomes such as project performance, client experience, compliance, audits,
incident response and security threats.

Work with business, compliance, IT, data analytics, risk and security stakeholders to leverage DSG to define data
security policies that balance business outcomes against the prioritized mitigation of data risks.

Establish a data risk assessment (DRA) to review and report any shortcomings in the implementation of data
security policies based on how the existing portfolio of products applies data security controls, and the ability of
staff to orchestrate these controls.

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 2/20
7/13/24, 12:20 PM Gartner Reprint

Collaborate with the DSG stakeholders to establish business support for any recommended changes to the
deployment of security products and business use of data. This might require approval for changes to staffing,
security budget, and impacts to business outcomes due to any shortcomings in mitigating the business risks.

Use DSG to review and reassess the data risks and business risks as business processes, compliance
requirements and security threats evolve.

Strategic Planning Assumptions

By 2026, 40% of organizations will use DSG to support business outcomes and data security investments, up from
less than 15% today.

By 2026, 30% of organizations will use DSG to drive greater efficiency and automation of data security controls to
support digital transformations, up from less than 5% today.

Introduction
As organizations accelerate the digital transformation of products and services across multicloud and hybrid IT
architectures, they must ensure that dynamic changes are made to data analytics processes and data pipelines. This
is to cope with the acceleration in volume, variety, velocity and value of data exploitation and proliferation across
cloud services.

At the same time, data risks are accelerating due to complex data residency, because data is increasingly sourced
from different countries, stored in different locations, accessed by staff in different locations, and accessed by
generative AI technologies. Data risks are also affected by a variety of international privacy, health, financial, credit
card and government regulations, and internal restrictions for highly sensitive intellectual property (IP). Compounding
these risks are the impacts of a variety of security threats, accidental disclosures and requirements to share data
with business partners and data ecosystems.
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 3/20
7/13/24, 12:20 PM Gartner Reprint

It is urgent and critical for SRM leaders to implement a process to govern the mitigation of data risks. This process
must be assessed and evaluated in the language of business, showing how data risks create business risks that
impact business continuity and business outcomes for a variety of projects and services. Business risks include
measurable impacts on project performance, customer experience, data quality, compliance and privacy reporting or
penalties, IT and analytics performance, and security incidents. Business outcomes that are affected by these risks
can typically be measured in terms of financial, project and service delivery targets. Data security governance (DSG),
therefore, requires striking a balance between achievable business outcomes and appropriate mitigation of these
data and business risks.

Analysis
DSG is led by a chief information security officer (CISO) or other SRM leaders, and will also gain tremendous
business value if it is done in collaboration with the chief data and analytics officer (CDAO) who manages data
analytics governance and business leaders (see Key Behaviors Driving CISO Effectiveness). SRM leaders should
commit to leading DSG to create a balanced data security posture that is implemented through a suite of data
security policies (see Figure 1). The CISO must create collaboration and consensus across DSG stakeholders to
leverage their disparate perspectives, responsibilities and budgets for managing data. The stakeholders form a data
security steering committee (DSSC), which should include business leaders responsible for delivering projects and
services, the CIO, the CDAO, legal and the data protection officer (DPO), and the chief risk officer (CRO).

Figure 1: Implement Data Security Governance Through Five Stages

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 4/20
7/13/24, 12:20 PM Gartner Reprint

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 5/20
7/13/24, 12:20 PM Gartner Reprint

Do start here: It is critical to start by developing data security policies that can then be orchestrated across the available
data security controls so that data risks can be directly assessed.

It is important to start DSG by establishing the data security posture and policies against changing business
processes, compliance requirements, security incidents and changing data risk appetite. DSG is an evolving
framework that may take considerable time to mature due to the complexity of projects and services that are utilizing
multiple datasets. In order to start DSG, and respond to project changes over time, it is incredibly valuable to focus on
a single project. This will enable dynamic win-win DSG assessments to be delivered quickly. It will also result in
project-focused risk assessments that, when combined, will provide risk perspectives across the whole organization,
and the impacts of risks on each project’s business outcomes.

Don’t start here: Deployment of any individual data security products will result in siloed data protection because they do
not integrate with each other. However, since data can travel everywhere across your IT architecture, it is really important
to start with a consistent data security policy approach.

Organizations are challenged with the complexity and variety of security controls that need to be deployed across
multiple independent vendor products. This requires focused training, experience and time to achieve success.
Cybersecurity models and standards provide terrific support in the analysis and deployment of data security controls.
However, SRM leaders should not rely solely on cybersecurity models because these typically do not support the
creation and application of data security policies that can then be evaluated against the security controls, and do not
translate the impacts of security on business outcomes.

As part of DSG, SRM leaders must assess business and data risks through the five stages shown in Figure 1 (and
detailed below), then reassess these cyclically or as new business processes and risks emerge. SRM leaders must
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 6/20
7/13/24, 12:20 PM Gartner Reprint

also evaluate how data security policies have been implemented across the existing security product portfolio to
identify any gaps or inconsistencies. They can then recommend changes such as the need for different staff
commitments or operational implementation. This creates the basis for business support to accept the achievable
data security posture or to establish a different investment plan for future changes. It establishes a defensible data
security posture that can be orchestrated across the available security products, and recommendations for changes
to the data security posture.

1. Evaluate and Prioritize the Business Risks

Each dataset is different and can support the business outcomes across different projects throughout its life cycle.
However, the need to store, access and process data will also expose each project to a variety of business risks that
result from the perspectives of each stakeholder (see Figure 2). DSG enables the DSSC to focus on each project to
understand how the governance and exploitation of specific datasets contribute value to the business outcomes,
based on quality, accuracy and life cycle, among some others. The DSSC must then identify how each dataset may be
subject to a variety of compliance risks related to privacy, financial and government regulations, and IP restrictions,
and a variety of security threats. The business will continuously try to improve performance through innovations,
resulting in digital transformations and dynamic changes to its data analytics and pipelines across the IT
architecture.

Figure 2: Leverage DSSC Stakeholder Perspectives to Identify Business Risks

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 7/20
7/13/24, 12:20 PM Gartner Reprint

Business teams are focused on the delivery of projects and services that meet the needs of existing and future
clients to deliver successful outcomes. They will be reluctant to make any changes to performance, customer
experience or project delivery, which may affect business outcomes, because they don’t normally have responsibility
for compliance, auditing, incident response or security. This requires the DSSC to identify, assess and prioritize data
risks based on their impacts on business risks and on the measurable business outcomes. However, the DSSC must
first establish an agreed data security posture and policies.
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 8/20
7/13/24, 12:20 PM Gartner Reprint

2. Establish a Balanced Data Security Posture

The DSSC stakeholders need to agree on which business risks to prioritize, and to establish a data security posture
that is acceptable to the business.

As an example, consider a company headquartered in the U.S. with a new service planned for deployment as a SaaS
to support customers internationally (Figure 3). Operationally, the business team wants the service to be deployed
and operated centrally within the U.S. to optimize performance, optimize client experience and market opportunities,
and minimize costs. But this means customers’ personal data will be acquired from multiple countries and will be
subject to privacy laws. A mix of old, current and prospective customers also creates challenges because a variety of
personal datasets will evolve with different life cycle impacts. Immediately, the compliance and security stakeholders
will recommend data protection that controls access to the datasets and addresses complex data residency
constraints. The data life cycle also requires careful access management to balance privacy requirements against
appropriate business purposes and data subject access requests, among some others, while supporting tax and
revenue reporting needs. It also raises conflicting requirements among the business, data analytics, IT and risk
stakeholders for enabling appropriate, timely access to each international customer dataset by the various business
teams internationally

Figure 3: Balancing the Data Security Posture

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 9/20
7/13/24, 12:20 PM Gartner Reprint

Clearly, such a scenario would require negotiation and acceptance across a DSSC of the need to balance business
outcomes against risks. The complementary responsibilities of each stakeholder enable the DSSC to reflect,
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 10/20
7/13/24, 12:20 PM Gartner Reprint

negotiate and report a comprehensive organizational perspective on the various impacts of risk, and enable a
business-led decision to define the data security posture. For example, the lifetime of each dataset can vary from
minutes to decades and create different demands for life cycle management, and create conflicting privacy and
business risks. This is especially variable for different data types that include personal, health, IP and financial data.

The data security posture will result in changes to the expected business outcomes, which are measurable in terms
of financial metrics such as staffing, product costs and performance efficiency. Business leaders must lead analysis
using a financial data risk assessment (FinDRA) or infonomics that will support the data security posture and
communication of the operational compromises. FinDRA enables the DSSC to focus on each project’s operational
revenue and costs to be assessed with attribution of each stakeholder’s associated costs for managing the various
business risks. It enables reporting of the agreement to balance the business impacts of mitigating compliance,
privacy and security risks against necessary changes to the achievable business outcomes, and associated costs for
service changes, compliance reporting, security operations and staff commitments.

It is important for the DSSC to review any changes to the business risks and data security posture on a half-yearly or
yearly basis, or if there are changes required to business processes or new compliance or security risks are
identified. Best practice, of course, requires that these reviews be prioritized, and it should be reported if there are
staffing impacts on the ability of the DSSC to deliver these reviews or to assess particular business risks.

3. Define the Data Security Policies

After achieving a balanced security posture, the DSSC can now establish a set of data security policies (see Figure 4).
These policies are independent of product capabilities and establish acceptable data storage, processing and access
across the whole IT architecture.

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 11/20
7/13/24, 12:20 PM Gartner Reprint

As a first step, the CDAO should work closely with the CISO to identify and categorize various datasets such as
personal data, data concerning health, financial status and government, and IP. Together, they also need to
understand how the data purpose might change during the life cycle and understand the data residency impacts.
This enables the data protection requirements to be aligned with privacy and compliance requirements based on
data protection impact assessments or other compliance-led data risk assessments. These compliance reviews will
provide a series of protection requirements for each dataset that must reflect the balanced data security posture.

Figure 4: The DSSC Establishes Data Security Policies Based on Prioritized Risks

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 12/20
7/13/24, 12:20 PM Gartner Reprint

The data security policies define which user accounts should have certain privileges to access each dataset
consistently across the entire IT architecture on-premises and across the cloud. This is important because these
policies are a compromise to enable certain business operations, while using controls to limit access based on role,
attribute, geography. The policies must also represent user accounts and privileges to data provided to machine
identities, including generative AI. The policies are generically applied and accepted across the whole business. But
because specific groups of users will continue to have privileges to access and use data in support of business
operations, data will still be exposed to certain risks. If the policies need to be changed in the future, a data risk
assessment (DRA) should be carried out to understand how effectively they can be changed.

A DRA is also required to assess how well the data security policies can be implemented with the existing portfolio of
security controls and identify any gaps or inconsistencies in the ability of the policies to protect data across the
architecture.

4. Orchestrate Data Security Controls

It is important to assess the security team’s ability to implement the data security policies by orchestrating the data
security controls across the available portfolio of products. Such an action involves various data security products
and access controls provided by identity and access management (IAM) products, and privileges provided by
applications (see Figure 5).

Data security controls have three broad characteristics:

Data discovery, categorization, catalog and classification, and data security posture management.

Data protection that includes encryption, tokenization, masking, privacy-enhanced technologies.

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 13/20
7/13/24, 12:20 PM Gartner Reprint

Data access monitoring and alert technologies such as data loss prevention, database activity monitoring and
data access governance.

However, no single security product provides all of these capabilities, but data security platforms are evolving to
integrate some controls. This results in the necessary deployment of multiple products, with separate management
consoles that must be operated independently by staff. Further complications arise because data security and IAM
products are typically managed by separate security teams, and applications are managed by data stewards who do
not report to security. Limitations on staffing and split responsibilities pose significant challenges for teams to
provide an acceptable level of orchestration of the data security policies across the product portfolio. It is important
to identify if budget and staffing constraints limit the deployment of a full range of products needed, and if limited
staff availability has led to partial implementation of each vendor’s product capabilities.

Figure 5: Orchestrating Data Security Controls

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 14/20
7/13/24, 12:20 PM Gartner Reprint

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 15/20
7/13/24, 12:20 PM Gartner Reprint

Another reason why orchestrating data security controls is very difficult is that data security product capabilities are
siloed in several ways, creating a “cybersecurity mess.” It is important to evaluate the effectiveness of each product
in applying security controls while understanding and evaluating the following product constraints:

Operating on specific data repositories or pathways.

Providing specific security features or controls, which are different from other vendor products in the same market.

Applying security to either unstructured or structured data, and rarely on all data formats.

Leveraging proprietary data discovery, categorization and classification technology that does not typically
integrate with the other vendor products.

Integrating data security products with specific IAM products, if at all, but these integration choices are typically
different to those for other data security products.

Deploying IAM products that provide security by managing access to endpoint devices and processing pathways
or pipelines, but since they are not leveraging data discovery and classification, they will not be controlling access
to data across these pathways and pipelines.

Applying security controls independently of the application access controls, which are managed by the data
stewards who do not report to security. Large organizations typically have hundreds of applications in use, and
data pipelines are changed frequently. These situations can lead to conflicting access requirements between
security and business teams.

Not supporting the integration with data catalog products means that metadata for quality, accuracy, and life cycle
cannot be leveraged for data analytics governance and business access requirements.

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 16/20
7/13/24, 12:20 PM Gartner Reprint

It is important to evaluate how each product management console implements the data security policies through the
specific controls available. The security team must implement these controls as consistently as possible, and assess
the orchestration of these controls to help coordinate enforcement of these policies. As a result, the security team
will identify a variety of gaps and inconsistencies that result from the orchestration process of implementing the data
security policies.

Create a map of the actual data security features and controls that are applied across the architecture, and identify
any gaps in protections and access controls applied by the combined product portfolio. Identify any shortcomings in
the availability of staff to operate each product. These are critical steps to identify and begin recommending various
combinations of vendor products and staff changes that would be needed to fill in these gaps.

5. Assess the Data Risks

For organizations that implement data security, the real-world challenges lie in the constraints caused by the
products they deploy and the availability of staff and budgets. It is important to analyze how policy gaps and
inconsistencies create data risks that directly lead to business risks. A DRA will enable the DSSC to reassess any
shortcomings in the implementation of the data security policies and whether new security products or changes to
staffing are needed.

It is important to communicate the risks that are related to the DSSC stakeholder responsibilities by focusing on risk
categories such as those shown in Figure 6. The impacts of shadow data (i.e., previously unknown, undiscovered or
unidentified data) are highly diverse, with data exploding across IT architectures within a variety of repositories.
Digital transformations across the cloud, combined with shadow data, will create hugely challenging data residency,
sovereignty and compliance risks. This is why it is important to assess how data and analytics processes create
fragmentation and combinations of datasets across repositories and pipelines and determine whether the
associated risks can be monitored through data observability, data lineage, data life cycle management and data

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 17/20
7/13/24, 12:20 PM Gartner Reprint

quality. All of these factors combined highlight the urgency to assess and report how risks of privacy and
compliance, and security threat incidents can be related to each dataset.

Figure 6: Assess the Data Risks

A staff-led physical assessment across specific pipelines can identify gaps and inconsistencies of the data security
policies. This is a slow and static analysis that is not easily scalable but can generate an invaluable in-depth DRA
report against a specific project and dataset across the project’s architecture. Data security posture management

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 18/20
7/13/24, 12:20 PM Gartner Reprint

(DSPM) is an evolving technique that can help create a DRA by locating shadow data and using data maps to track
data lineage and life cycle. It can also provide some real-time detection of evolving risks.

Security staff can take the following actions to help create a stronger DRA:

Use DSPM to discover data repositories, shadow data and data lineage by tracking how data flows across the IT
architecture. Identify how data is accessed by applications across specific data pipelines, and try to build an
assessment of access risks or pipelines that are not adequately protected.

Leverage IAM, data security platforms (DSPs), data access governance, and data loss prevention to assess how
specific datasets are accessed by various groups of staff. Evaluate specific pipelines as part of a testing process
for specific user accounts, which will help assess how privileges for specific users could create a risk.

Focus on a specific business project to quickly analyze the implementation of data security policies and to identify
gaps and inconsistencies.

Expand the project analysis over time to cover more pipelines and include more datasets and business projects.

A DRA is an evolving story, but it can immediately provide direct feedback to the executive team on the effectiveness
of the DSG in achieving the organization’s data security posture. It can generate a report to the DSSC, which explains
the effectiveness of the existing product portfolio and staffing in implementing the data security policies. Then, the
DSSC can assess potential business risks and decide whether to accept the business risks or initiate a strategy to
reassess investments and staffing.

A DRA is the last step in the DSG framework and allows the data security posture to be reviewed as a cyclical process
by returning to the first step.

Evidence
https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 19/20
7/13/24, 12:20 PM Gartner Reprint

This research is based on over 1,000 inquiries that we have received over several years and our discussions about
challenges with security leaders, data and analytics leaders, and privacy officers.

© 2024 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This
publication may not be reproduced or distributed in any form without Gartner's prior written permission. It consists of the opinions of
Gartner's research organization, which should not be construed as statements of fact. While the information contained in this
publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness
or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or
investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by
Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently
by its research organization without input or influence from any third party. For further information, see "Guiding Principles on
Independence and Objectivity." Gartner research may not be used as input into or for the training or development of generative
artificial intelligence, machine learning, algorithms, software, or related technologies.

About Careers Newsroom Policies Site Index IT Glossary Gartner Blog Network Contact Send
Feedback

© 2024 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

https://www.gartner.com/doc/reprints?id=1-2GSS5SS0&ct=240304&st=sb&submissionGuid=9d79f289-7355-4f52-b0fd-4d8667831385 20/20