To be a data-driven organization, it is essential to first determine what the organization aims to achieve. To define these goals, everyone needs to use a common language and speak and listen based on needs, which helps in understanding each other better. A collaboration strategy is also required. Only then does a common digital platform come into play, with security and privacy as its foundation. Such a secure platform is therefore not leading but serving the organizational goals and the user. This is what Erik Jan Koedijk, crisis manager for ICT and data security at GGD GHOR Netherlands, asserts. He delves into this subject with us.
Managing security and privacy in becoming a data-driven organization
It quickly becomes clear that we are dealing with an advocate for optimal security and privacy measures when Erik Jan kindly but firmly indicates that we may record the Teams interview but must delete it immediately once everything is on paper. “What you share in Teams can be easily downloaded to your laptop,” he says. “As an organization, you then have no control over that data, which brings significant risks.”
After reassuring him that we will indeed delete the interview recording, Erik Jan begins. “Go ahead with your questions. I am very enthusiastic about this topic and think it is excellent that we are working on the iStrategy, exploring a data-driven organization, and aiming for a unified digital platform. But it is a complex process, and don’t forget: as you become data-driven, security and privacy risks can increase.”
What does data-driven work mean to you?
“Making decisions and taking actions based on available data is what it’s all about. What I find so cool about it is that data enables you to make qualitatively better decisions. Many decisions are made based on intuition, experience, or personal motivations, but data allows you to guard against these tendencies. The beauty of data-driven work is that it can elevate your service delivery to a higher level. I can guarantee that. I also dare to say that it will increase job satisfaction and consequently reduce absenteeism. Why? Because data-driven work provides direction for employees. It allows for much tighter management of how certain tasks contribute to the goals and core values of the organization. Additionally, with a good setup, a lot can be automated instead of relying on outdated methods of excelling, exporting, and importing.
However, I notice that some people don’t always like data-driven work because it becomes very concrete. Personally, I find it quite pleasant. Generation Z, which will make up about 25% of the total workforce by 2025, probably won’t want to work without data-driven actions and will also have different demands for collaboration. Therefore, we must undergo this transformation, preferably as quickly as possible.”
What are important conditions for being able to work data-driven?
“Setting goals, ensuring everyone speaks the same language and understands each other, and of course, having a common collaboration strategy. The translation of the desire to collaborate into a single platform determines whether it will be successful or not. This means a significant cultural change. However, I observe a significant lack of cyber knowledge in crucial roles within many organizations that can drive this change. Think of behavior changers or crisis managers. Cybersecurity is a specialized field, and you don’t learn it in just one training. There is a large knowledge gap. Many people think they understand it, but they often talk past each other because they don’t have a common language. Moreover, information provision and IT are not always user-centric. That is the biggest structural flaw there is.”
What do you mean by setting goals and a common language?
“First and foremost, an organization needs to become aware of its dream goal, also known as a BHAG* or long-term goal. Dream goals come in different categories and form the core of what an organization is passionate about, what it can be the best at, and what is needed in the Netherlands. Consider Twitter’s ‘To become the pulse of the planet,’ Nike’s ‘We will crush Adidas,’ and Sony’s 1950 goal ‘To become the company most known for changing the worldwide poor quality image of Japanese products.’ These dream goals are directional and, in my opinion, crucial when an organization or a group of collaborating organizations undergoes a transformation. Having a good BHAG inspires and motivates teams and connects people. It also helps to subsequently set concrete process- and result-oriented goals that align the people, processes, and systems of the organization.
BHAG (Big Hairy Audacious Goal) is the term, management guru Jim Collins gives to the concrete clear point on the horizon that distinguishes structurally successful companies from less successful ones
Creating focus and alignment
After setting the goals, you need to work towards them and create focus. The point is, does everyone really mean the same thing when collaborating? The use of jargon often lurks—especially within digital transformations—leading to confusion. For example, if we all decide that we want a common platform, ask everyone the same question: ‘Tell us what you mean by a common platform?’ You might get nine different answers, and perhaps the (future) user is not even at the table. This shouldn’t be possible because you’re talking about the same goal, right? You really need to know what each other is talking about. Be curious and ask questions. People need to talk a lot and, most importantly, listen a lot more from their needs.
Overcoming resistance
Another example: we want to chat securely within our organization. But if we tell employees that they can no longer use WhatsApp or Signal for work because they pose the greatest privacy-security risk to our organization, it will likely face resistance. I know this for sure because I have tried to ban these risky apps from the organization before. WhatsApp and Signal are not necessarily unsafe in terms of technology since messages are end-to-end encrypted, but they are a threat due to people’s behavior because we don’t know how they handle our data. Also, people who leave an organization often still have sensitive information from that organization on their phones and remain in WhatsApp groups. Therefore, we need to formulate the underlying goal in a common language: okay, you want to quickly and easily contact colleagues or stakeholders, but what does that deliver for the organization? From the user’s perspective, we can then reason what they need for their work.
Building a data-driven organization
So, if you want to build a data-driven organization and maintain control over your data, you need to know your dream goal, set concrete process- and result-oriented goals, and ensure a common language. If you don’t, you can’t blame employees for fixing things themselves. They just want to do their job, and if that’s not facilitated, they will download the tools themselves. Organizations that block WeTransfer? Then employees will simply send large files via their own webmail or other ‘free’ tools.”
You just mentioned the concept of security by design, what exactly is that?
“This means that security and privacy are fundamental to a product, service, or system. In everything you develop, data security is paramount, and other weaknesses are prevented. It is important that this becomes part of the culture and is seen as an ongoing process. If it does not meet certain security standards, it will not be used, and other solutions will be devised for teams that achieve the same desired functionality.”
What are the biggest security challenges for the GGD?
“For all companies and organizations in the Netherlands, including the GGD, GHOR bureaus, and GGD GHOR Netherlands, it is essential that the personal security foundation is in order, both at work and at home. This often needs improvement. For example, I’m talking about a strict password policy, always running updates immediately, and using two-step verification. Many organizations also use outdated systems and services. Thirdly, I notice a knowledge gap among hired suppliers, particularly during implementations when systems are connected for data exchange. Increasingly, when there is a hack or data breach, a supplier is involved.
And fourthly, there is a need for a collaboration strategy in which secure working is central. Recently, we have been working a lot with screens and via Teams globally. As a result, we share information everywhere and nowhere. This leads to data being fragmented across systems and devices. Who then keeps the overview? There have been technical solutions for this for years, and as a former Nokia employee, I still advocate for centralized management of all mobile devices, including smartphones and tablets. This fragmentation of data storage can cause organizations to lose sight of data security. Partly with the supplier, partly with another chain partner, significant security and privacy risks arise. As I often say, you are only as strong as your weakest link, because we are all in one big digital building. The result of less security frequently leads to data breaches, which is automatically a privacy problem.”
If data is fragmented everywhere, can you even work data-driven?
“Indeed. Moreover, we want data to serve the target audience for which we use it, but that becomes difficult this way. I have heard that there are health organizations, for example, that have a lot of fragmented data. They struggle to exchange dossier information securely and accurately within the regions. Take a child of divorced parents who lives with his father in Rotterdam and his mother in Middelburg. The child seeks help from the organization in two different regions where his dossier is not shared. If we were to build the data around the child, the focus of the organization professionals could return to the content. After all, you want professionals to be able to do what they are trained for, which is to make people better.”
What is needed for good collaboration?
“I think it is important to first discuss how we want to collaborate securely. Secure collaboration must become the standard because we are dealing with very confidential data. If that data falls into the hands of cybercriminals or state actors like Russia or China, it could have serious consequences. So we have a huge responsibility. Also, the conversation with the user about what they want to do with the data is extremely important. You need people who ask the right questions in terms of functionality and in terms of security and privacy. Additionally, as an organization, we must be ready to embrace new developments. Innovations in replacing the internet as we know it, tools, blockchain, and artificial intelligence are advancing so quickly… it is very important to keep an eye on them and remain flexible.”
Can we learn from the business sector?
“Certainly. They often work data-driven from common goals, they don’t see the tool as the goal and thereby avoiding privacy and security risks. They also work from the customer experience perspective. The customer is always central, and thus data is built around the customer. Furthermore, the data quality is high. If you use bad data from fragmented systems as input, then you know that the output, such as information on a dashboard, will also be poor. This increases the chances of making incorrect decisions.”
Do you have any advice for the reader?
“Yes, I would like to share a few simple tips below to better secure yourself. And remember that systems are never one hundred percent secure. Security is a feeling; there is no such thing as a completely safe world. Therefore, we must carefully consider someone’s goal, how people collaborate, and what the best configuration is for working together. In a few years, passwords will be replaced by more ingenious access techniques, but for now, we are still dealing with a legacy of twenty years of poor internet topology. This allows hackers to easily get in, for example, through phishing emails, with all the consequences that follow. So it is essential to focus on a secure foundation now.”
This blog is a translation of a Dutch article about Erik Jan Koedijk in the magazine “Versterken & Verbinden” for the Regional Public Health Services (GGD-en).
What Cybersecurity.vision offers
For more information on how we can help your organization, visit our services offerings at Cybersecurity.vision.