Rethinking data governance in the digital age

Data governance has always been considered risk management, and still is. But there is another way, and that is on offense.

What is your data strategy? Is it aggressive and innovative? Or focused on risk mitigation?

Few years ago, Tom Davenport characterized the work done by CIOs and CDOs regarding data as data breach and defense.

“Data breach is focused on supporting business goals, such as increasing revenue, profitability, and customer satisfaction,” Davenport writes. “This typically includes activities that generate customer insights (e.g. data analysis and modeling) or integrate disparate customer and market data to support managerial decision-making via, for example, dashboards interactive.” In contrast, “defensive efforts ensure the integrity of data flowing through a company’s internal systems by identifying, standardizing, and governing authoritative sources of data.”

In my language, defense is about anything that makes data ready and safe for analysis. This includes securing data, controlling its use, and the list goes on. The offense is using data to make decisions or transform a business.

Honestly, in the past, I’ve put data governance firmly on the defensive. I’ve since learned that labeling governance in this way creates a perception problem, making it harder to get the business to care about data governance. But recently, a colleague of mine challenged my thinking by suggesting that this view of data governance is too narrow and that data governance (like data management) has both offensive and defensive elements.

Before we dive deeper into the implications of this big idea, let’s explore how data governance has changed over the past two years.

Changes to Data Governance Principles

Historically, CIOs hated data governance even though they considered it important (my recurring #CIOChats on Twitter highlighted this pattern). CIOs hated this because they had to impose top-down governance on the organization or IT took on the data governance itself. Both approaches often failed and made the CIO feel like a bad guy in the process.

So what should be the purpose of data governance? Data governance should be about the people, processes and technology that deliver the right data to the right people at the right time to support data-driven decisions based on trusted information, bridging the data gap and the business. Effective data governance provides data that exhibits the following qualities:

  • Good source.
  • Decent quality.
  • Certified trustworthy.
  • To the people who need it when they need it.
  • To make data-driven decisions.

When governance is provided in a system that automatically captures feedback, the entire governance mechanism can improve over time and guide users towards smarter use of data. New approaches to data governance are based on four principles:

People-centred governance is the opposite of being forced. It uses intelligence to identify (1) who knows the data best and (2) what data needs to be governed and how. People-centred governance signals a shift in purpose; it’s not about forcing people to govern the data or preventing people from using it.

In many ways, the philosopher Jean Jacques Rousseau described the governance of inherited data when he said: “Man is born free but everywhere is chained”. The legacy approach has chained people to a limited view of governance – and restricted their behaviors. To liberate data stewards, data governance must rely on a layer of intelligence that facilitates data management while empowering key processes. And finally, to truly improve, data governance must measure and monitor end-to-end performance so that business goals can be adjusted for the data governance program.

Related article: Customer data management is the key to consumer trust and profitability

Offensive or defensive data governance

So what does data governance that encompasses offensive and defensive postures look like? Let’s take a closer look at how each process differs.


  • Demonstrate compliance with government policies and regulations.
  • Provides lineage to support and defend audits.
  • Records compliance with confidentiality and other regulatory expectations.
  • Confirms the origin of the data.

Defensive data governance meets auditing and oversight requirements. It demonstrates compliance with policies, which typically address data reliability, data quality, or data accessibility. Effective defense requires lineage to demonstrate the reliability of data sources used for reporting or analysis. This includes the provenance of data or tracing the origin of information. All of this supports compliance and helps prepare data for analysis.


  • Leverages data resources to deliver value at the pace of business.
  • Aligns business definitions with measures and metrics to drive alignment.
  • Calibrates confidence in data so decision makers know it is appropriate to use it.
  • Supports self-service and democratizes data so decision-making can be done faster.
  • Uses data product impact analysis through data lineage.

Data governance = driving business value

The data governance offense, on the other hand, is about generating business value from data. It recognizes that the data is not captured but produced and must be adapted for commercial purposes. In my discussions with CIOs and CDOs about cloud data warehousing, they insist that moving to the cloud must have a specific business objective.

With this in mind, the data governance offense supports data policies and maintenance to the extent that these actions support this business objective. The governance offense also focuses on managing and improving data based on data quality results. It creates descriptive metadata for the produced datasets, which provides valuable context for the business analyst. It can also speed up time to value by configuring data the right way the first time.

So what does all this mean? This means that properly constructed data governance has business value. It also means that data governance strategies can employ both offensive and defensive postures.

This stands in stark contrast to older data governance approaches that were primarily viewed from a risk perspective. While defensive data governance continues to have value, combining an offensive strategy creates tangible business value, which is the reason to make the journey. And that means data governance is relevant today for more than risk-dominated businesses. Today, IT leaders have the foundation to sell data governance to any business looking to use AI or data in more powerful ways.

Related article: Is bad data ruining your customer experience?

Parting Words: Better Data, More Support

All businesses that run on data need data governance. The problem in the past was that data governance was viewed exclusively from a risk mitigation perspective. Adding offenses to the mix is ​​a game-changer for data governance professionals. It helps articulate the business value of data governance and gain crucial support for C-Suite.

The expense of risk reduction for many companies has been difficult to justify. That’s what I heard from CIOs after the Target Hack. Given this, I’d like to suggest that organizations start by addressing the offense side of the equation. This will accelerate data governance because it organically creates an engaged group of business stakeholders who get value and are ready to champion the value they help create.

These “Future Ready” companies view data as a strategic asset. For them, “data is a strategic asset shared and accessible to everyone in the company who needs it”.