When Data Met Identity

My two favorite worlds – data and identity management – are predictably starting to collide in overt ways. Over the past decade, we’ve seen slow, but mostly steady, progress forward with a variety of identity management initiatives. The data world has moved exponentially faster and more explosively. As we grapple with the growth of personal data across an array of collection devices (including mobile devices) and storage mechanisms (including the cloud), identity management will be seen as the key fundamental enabler that it truly can be.

We live in a world of networked ecosystems. There will be two primary considerations for the maintaining the vibrancy of those ecosystems, and the communities, exchanges, and analytics that are done therein:

  • the ability to uniquely establish an identity (for a wide variety of purposes, including ecommerce, health care, analytics, information sharing, banking, etc. etc.) and
  • the ability to limit access to personal or sensitive data to only those with a legitimate need to access and use it

The ecosystems by nature have porous, extended boundaries. But many people belong to a variety of ecosystems, and the networked nature of the internet should allow us to glide effortlessly among these different environments. We’re not there yet, but technologies such as master data management and multi-factor authentication (among many) will help networked communities to thrive by creating trust, building interoperability across systems, promoting reliability and integrity, improving processes, and controlling security and privacy.

Beyond technologies however, strong governance processes and trust frameworks must be developed and implemented, to continue to foster the trust, privacy, and reliability of the system of systems.

Davos and Data – Please Don’t Forget the Basics!!

The annual World Economic Forum recently ended in Davos (one year, I WILL get an invitation to attend this!!).  Those of you who follow my Twitter feed know that data was a big topic at the WEF this year. There were several sessions on the topic, and a report titled “Big Data, Big Impact: New Possibilities for International Development” was released.  The report focuses specifically on the impact the collection and proper application of big data (particularly from mobile devices) can have on financial services, education, agriculture and health care.

Yesterday, the WEF’s Global Agenda Council on Emerging Technologies released its list of top 10 emerging technologies for 2012.  Number one on that list is Informatics for adding value to information, which the Council further explained as:

“The quantity of information now available to individuals and organizations is unprecedented in human history, and the rate of information generation continues to grow exponentially. Yet, the sheer volume of information is in danger of creating more noise than value, and as a result limiting its effective use. Innovations in how information is organized, mined and processed hold the key to filtering out the noise and using the growing wealth of global information to address emerging challenges.”

Informatics beat out some very cool scientific areas such as synthetic biology, nanoscale design of materials, and high energy density power systems. Data has gone mainstream.

In everyone’s rush to jump on the ‘big data’ bandwagon, the ‘informatics’ bandwagon, the ‘unstructured data’ bandwagon, there are foundational items that need to addressed if organizations are going to see the kinds of payoffs they should be having, or if this becomes added to the list of trendy things that didn’t work out.

#1 – Have a plan. An enterprise information management strategy is absolutely necessary. Your business has a strategic plan (hopefully). There is no way any business today can operate or innovate without using and leveraging data, so there should be a plan around the capture, usage, maintenance, distribution, security, and disposition of your corporate data assets.

#2 – Someone should have ultimate responsibility and authority for data. This is not the CIO. This is not the CTO. This is not the IT team. This is someone who is charged with the responsibility of managing data from the enterprise perspective who represents the business, who sits on the executive leadership team, who makes the executive decisions, and who’s ass is on the line for the overall quality, integrity, and optimization of those data assets.

#3 – There must be an investment in data. This investment should be in the form of people, dollars, training, and technology.

If the foundational items aren’t done, what your company will have is still a bunch of siloed data of questionable quality – you’ll just have more of it.

Data Security – Crossing the Chasm

If your organization is engaging in information sharing (internal or external, it doesn’t matter) or if your organization is trying to optimize critical data sets through a ‘capture once, use many’ strategy, then a strong data security plan will serve as an effective enabler to accomplishing these goals.

But, most data owners don’t speak security-ese. Most enterprise architects (EAs) don’t either. The security folks on the other hand, are great at what they do – as long as they can lock it up, throw up walls, build the moats, and set up a strong defense posture. This approach, however, tends to slow or stop appropriate information sharing and information optimization efforts.

For an organization to effectively utilize, optimize, and share its information assets there needs to be a middle ground between complete openness and complete closure. And this middle ground really needs to be reached first by the data owners or EAs by crossing the chasm over to security.

Data, particularly highly sensitive or highly critical data, needs to be secured, protected, and distributed only to those with need-to-know rights. Too often what I’ve seen in EA documents or data governance plan is a box on a drawing for security that ends up being a black box where too often projects go to die.

The ‘Roles-based Access Control’ box needs to go far beyond this one line and do much more to:

  • enable data to be leverage and re-purposed appropriately, to
  • build trust in processes and policies around information sharing and re-use, and, to
  • increase confidence in policy enforcement

I’ve seen too often the default mode of trying to protect all data assets in the same way, and applying the same policy enforcement controls for any and all transactions and requests. The problems with this approach include the slowdown or stoppage of legitimate information requests and the inflated costs of trying to protect everything the same way.

Business data owners should provide the leadership to the architects and security teams regarding the rules, roles, and processes to accomplish SIMULTANEOUSLY the appropriate distribution and use of information assets and the security and privacy of those assets.

This requires a risk-based approach (not all data is created equal) to data security classification; a knowledge of the business rules and regulations that guide the usage of data assets; a sophisticated identity and access management system that includes roles, rules, and attribute based provisioning; and a strong policy enforcement engine. Other tools and technologies that can be useful are a meta-data tool, multi-factor authentication technologies, and an attribute exchange mechanism.

Again, it’s the responsibility of the business data owners to lead and guide the technologists to choose and implement the enabling technologies in the most appropriate way to achieve the business goals while securing systems and data and remaining in compliance with all applicable federal, state, and international laws.

CES 2012: Rise of chief data officer predicted

A recent story out of the 2012 Consumer Electronics Show (CES) predicts that among the top five technology trends that will change advertisers approach to marketing in 2012 will be the rise of the chief data officer (CDO). Throughout the C-level suite, particularly on the marketing and product innovation sides of the house, they are beginning to understand that leveraging their data will be one of the few things to achieving and sustaining a competitive advantage. The ones that will win will understand that they are data companies who happen to be servicing a particular vertical or market segment. This is a mindset transformation that not every company will be able to make.

CIOs and CTOs need to understand this or risk seeing the chasm between business and IT continue to grow, or worse, become irrelevant.

Starting an Enterprise Data Program From Scratch, Part 2

In my initial blog on December 11, I kicked off dataTrending with a discussion on building an enterprise information management (EIM) program from scratch, as well as what the role of the Chief Data Officer (CDO) should be. The two big challenges we faced at the State of Colorado with regards to EIM were, first, the operational authority and scope of the CDO and program. This blog picks up where the first blog left off, and deals with the second challenge, how to build value quickly in an organization with no history or reference point for this type of work.

The State literally had no history of enterprise architecture or data management principles and policies beyond individual agencies.  Creating value quickly to both build momentum and to increase support among the skeptics would be critical. There was an abundance of opportunities and work to be done. How should we start and how do we prioritize opportunities? How do we organize the work and develop a framework that is repeatable and sustainable across a $19B organization? How do we manage work across multiple swim lanes – governance, policy and process, change management, technology and tools – at once? How does one mobilize an organization to start thinking and acting differently about its data? The cultural and trust issues can be real impediments to success and need to be addressed both head on and with diplomacy.

The most critical factor was to align and prioritize this work with the strategic needs, opportunities, and key business drivers of the State. What was important from the executive management’s (the Governor, Legislature, and Agency Directors) perspective? What were their top problems and issues they were trying to solve that could be supported by our program? This is the only way, in my opinion, an EIM program can truly add value and keep support.

The three prisms through which we approached our work was legislative, governance, and operations.

Through a series of four laws over two years, we established the state’s intent around data sharing and information management; explicitly gave agencies permission to share data (unless a federal or other state law expressly prohibited sharing of certain data); and, established a governance board that would retain continuity through administration changes.

On the governance side, we purposefully asked for a mix of business, technology, and financial representatives from the agency participants to ensure that business was driving priorities. Meetings were held monthly, and a very actionable set of deliverables was developed and worked through so progress could be quickly seen.

Operationally, we adopted enterprise architecture and data management frameworks to ensure our approach had a roadmap and followed industry best practices. We created an enterprise data strategy and work priorities were developed through input from key stakeholders across the organization and the governance board.

One of our primary business drivers was enterprise information sharing to inform policy making, resource decisioning, and program management. We identified three primary communities of interest with major information sharing initiatives across the state agencies and leveraged those projects to begin building out our portfolio of policies, processes, procedures, technologies, and tools that we would need to support enterprise initiatives. Into the project budgets we added line items for key tasks, activities, or people to support the work. Things like an enterprise architecture tool, business analysts, and data systems inventorying.

Instead of trying to tackle the entire data management framework, we identified four major areas that would support the information sharing business driver to begin our policy and standards work. And then finally, we just dove in and started the hard work. It was a major effort of entrepreneurship in a government environment. It was not always easy, and not everything we did was a huge success. But we had executive support and were iteratively able to make progress and show small wins built into bigger successes.

Open Data vs. Data-driven Decisioning

The Open Data movement has had great momentum over the past couple years, with over 40 countries now committing to some sort of public open data portal. I’ve appreciated the early efforts of the open data movement, but have always posited that while publishing data for the sake of transparency is good, it can’t be the end goal.

What cities understand (and are doing) far better than state and federal governments in the governmental ecosystem is how to leverage data sets to drive innovation, economic development, and data-driven decisions for agility and transformation. A recent article by the Chief Technology Officer for the City of Chicago, highlights this, “The first two, fairly well-established tenets of open government; the last two, long-term policy rationales for positioning open data as a driver of change.” They are:

  • Transparency builds trust
  • Accountability builds a better workforce
  • Analysis builds new processes
  • Open data builds businesses
Chicago has even created the position of Chief Data Officer to lead these efforts.
As these open data efforts continue to mature, we’ll see more of this business-centric, transformative approach to enterprise data management. Governments will also start to embrace the value of data standard schemas, linked data, and platform-based concepts. The true value will be identifying inflection points across service areas and leveraging data throughout the ecosystem to perform both macro and micro-level based analytics, inform policy making, and create service innovation.

Disrupting Government Business Models (The Innovators Dilemma meets the Cash Cow)

In the public sector, there are real opportunities for citizen service enhancement via online and mobile transactions with  strong enterprise information management and digital identity management strategies and architectural approaches. But in addition to the implementation challenges of these technologies, many states find that existing state legislation and policy do not support true innovation by state governments.

Let me give you an example. In Colorado, we had an enterprise information architecture strategy to deal with the technical and data limitations of existing systems. Service oriented architectures can go a long way to linking systems and applications together.  From the data side, it makes perfect sense to be able to share certain records (like birth and death) across agencies for eligibility screening and program management.

To improve the customer experience, why should we make a citizen provide a copy of his or her birth certificate for each of the myriad of social services and health care programs that individual may be eligible for? It takes precious time out of the individual’s day and increases the cost burden to them. Especially when we already have that data electronically in a system.

With death records, it makes sense to share that information – appropriately – to the agencies with which that individual was doing business so that services can be terminated and the state doesn’t continue to issue benefits (and money) to dead people.  Additionally, it can cut down on identity theft and fraud.

This sounds great, right? Improve and enhance service capabilities, reduce fraud and waste. But what about the unintended consequences?

At one of our early governance board meetings, a board member raised a very strong concern about sharing this information with other state agencies. He represented the agency that, among many things, was responsible for vital records. Surprisingly, his concern wasn’t really about the sharing of information across agencies. His concern was about the revenue impact to his agency. This agency also happened to be cash funded, meaning the majority of their operating budget came from moneys they earned themselves, not from general funds allocated by the state legislature to them. A major part of their revenue stream was sales of birth certificates to citizens, and sales of data (like death records) to other state agencies.

By doing what we proposed to do – in order to streamline government operations, improve customer service, and reduce waste, fraud, and abuse – we would drastically impact the revenue of this agency.  How else could they possibly make up that lost revenue? We did not have a good answer.

This is a really tough question that most states have not begun to tackle. True transformation of the government services delivery model also means the business and revenue models must be approached in new ways. This often involves changes to legislation, to state constitutions, or to state budgeting processes – none of which are easy. And requires a strong political will.

There are similar analogies in the private sector world, where new business channels and models threaten to cannibalize the traditional business models of organizations. Transformation through technology is relatively easy.  The willingness to tackle the political and cultural challenges requires true vision, leadership, and commitment.

Medical Apps and Identity Management

Wired.com recently ran an article discussing the impact and challenges of the mobile healthcare app market. Not only are doctors getting new apps to help them do their work, but there are hundreds of consumer medical apps available now.  In fact, just the other night, a friend gave me a very cool demo of a product called Up, from Jawbone (the maker of Jambox) which (directly from their website) “is the combination of a wristband and iPhone® app that tracks your activity and sleep and inspires you to move more, sleep better and eat smarter.”

One can easily envision the day when access to individual electronic medical records and images are available through an app, which is what the Wired.com story was suggesting. I personally, being a fairly frequent business traveler, as well as having moved several times in my adult life, would find this one-stop access to my medical records via a mobile device to be extremely useful.

However, what’s missing from this conversation is the concept of identity management (IdM) and privacy. While it’s fairly easy to envision how a controlled health information network environment can appropriately manage access to medical records, it’s a big leap to open that network up to anyone with a smart phone or iPad. This is where the burgeoning digital identity management ecosystem will make immediate impact.

When I try to access my electronic health records via my iPad, there are a number of assertions, authentications, and authorizations that will need to occur in order for the records to be released AND for the medical provider to be incompliance with HIPAA.  Technologies exist for this in both the master data management (identifying me uniquely and making sure it’s MY information that I receive) and IdM (digitally binding an identity token to me and accepting that token as a relying party for strong authentication and authorization to perform an electronic transaction) areas. The much harder work is on the supporting policy and process swim lanes to ensure the right controls and rules are in place to be enabled by the technology.

Lots of exciting work still to come over the next 5-10 years in this market!

CDO Insights – Starting an Enterprise Data Program from Scratch

In 2009, I became the Chief Data Officer of the State of Colorado, the first for a state in the country. It was a tremendous opportunity, as well as an honor, to be appointed by a governor – and supported by a legislature – who truly had the vision and understood the role of data in an organization to truly transform service delivery and performance management across an enterprise.

There were two primary challenges in creating this role in the enterprise. The first was the development of a strong operational model for the role. What is the span of authority a Chief Data Officer (CDO) should have, both strategically and tactically? How does this authority get created and embedded, via policy, budget, and operations? How and with whom will this role engage across enterprise lines of business (in this case, the executive branch agencies, the legislature, and key stakeholders at the state and local level)? What kind of team is needed to support the CDO?

The second challenge was that the State literally had no history of enterprise architecture or data management principles and policies.  Creating value quickly to both build momentum and to increase support among the skeptics would be critical. There was an abundance of opportunities and work to be done, which I will discuss in a later post.

The Chief Data Officer role can be a crucial part of the C-level, strategic thinking of an enterprise in the era of all things digital and data. It’s been said ad naseum that data and information are some of the most important assets that organizations – private and public sector, large and small businesses alike – have. And of course, it’s true. However, it’s been my observation that most organizations still very much struggle with their level of sophistication around how to really manage, integrate, and leverage this major asset class in a way that drives opportunity, transformation, bottom line results, stock price increase, or improvements in service delivery.  It’s surprising there’s not been more momentum to create this role within organizations.

A strong enterprise information management program can result in the following benefits to organizations:

  • Customer-centric integrated information environment
  • Access to robust information and delivery of that information where needed, including to mobile devices
  • Economies of scale and reduced development efforts and operational costs
  • Consistent and reliable information, with the ability to layer on strong advanced analytics
  • More agile and proactive business operations
  • Platform scalability with more shared services
  • Data as a service, capturing data once and leveraging it across multiple business processes and applications
  • Trust framework that enables appropriate information sharing and access while ensuring privacy, confidentiality, and compliance

An obvious question is: shouldn’t this be what the Chief Information Officer (CIO) should do? Perhaps, but the reality in most organizations is that the CIO is focused on the technology and operations that support the organizational data needs. This by itself is an enormous challenge. Most CIOs are very good consultative partners with regards to how technology can support business operations.However, the true ownership and stewardship of data and information rests on the business side of the house, not with the technologists.

Therefore, the executive suite needs someone who can oversee the strategic business application of its information assets enterprise-wide. Someone who advocates for information; who can facilitate cross-departmental discussions about information; who’s responsibility it is to optimize existing information assets, to identify information gaps, and to work with units to acquire needed data (structured and unstructured); someone who build the trust and partnerships across the organization (chief diplomatic officer? – more on this in a future post); and, someone who can set organizational standards and policies for enterprise information management to improve quality, accuracy, and usability of critical core data assets. These are at the center of a CDO’s responsibilities.

I think that over the next decade, we will see much great interest in and a maturing of the role of the Chief Data Officer in the same way we’ve seen the Chief Information Officer, Chief Strategy Officer, or Chief Information Security Officer roles mature.