By Sara Ther
Published on October 7, 2024
In July 2024, when major airlines could not operate effectively due to a bug in CrowdStrike’s software, it ignited the world’s interest in data compliance and security programs. Much like national security, you know compliance is working when it's not on the news.
The CrowdStrike fiasco revealed an important truth. Without effective training and internal visibility into ongoing compliance and security processes, organizations are at risk of data breaches and cyber-attacks. This risk has only increased with the creep of generative AI into everyday workflows, as information is shared with less scrutiny. Particularly in the age of AI, Security Teams must make every effort to educate teams and measure the effectiveness of their data compliance and security.
This post will focus primarily on engaging data and business teams to ensure conformance to these vital guidelines for your organization. We will cover:
The need for clear, documented policies and protocols
Change management for data security and compliance
Integrating data compliance and security into existing processes and software
The first step to training your teams on your organization’s data compliance and security protocols is to ensure the protocols and policies are documented in plain language and accessible for self-service. Modern compliance and security processes leverage AI-driven software—such as BigID—to run rules that perform deep data scanning on massive amounts of structured and unstructured data. These processes are happening at scale and can be overwhelming for the average business user to understand.
Data producers and consumers can only follow a protocol that they understand. These plain language policies must address multiple personas: data scientists, data analysts, and everyday data citizens. Data scientist personas will need a deeper granularity on the policy than a data analyst, but they both require plain language to use policies effectively.
For people within the business to leverage your protocols effectively, they need to know what’s needed from them. They also need to be reminded of the policies as they do their work, not just once a year in a virtual compliance training program (though those are important, too).
Finally, security and data compliance policies need to convey “what’s in it for me” so that users can see how it applies to them specifically, which leads us to the second point about leveraging change management methodology.
Change management will help leaders shift behaviors. For data security and compliance programs, change management drives home the criticality of adhering to policies. A clear picture needs to be painted of why it is important to change behavior and what happens if users fail to follow protocols. This provides the necessary context that business users often lack when it comes to new policies being employed in the workplace. The goal of a change management program (such as Prosci’s ADKAR methodology) is to get individuals to adapt to the change because they want to, not just because they must.
Another key facet of change management is awareness and knowledge. Are users aware of the policies in place, and do they have the necessary information to act on this awareness? This is where integrating your data compliance and security programs into existing processes, services, and software drives the ‘right’ behaviors at the ‘right’ time.
Whether you are trying to drive secure data handling, support existing data governance programs, or help people understand sensitive data, your compliance/security programs need to meet people where they are. In addition to running annual training, inform users at the point of consumption what the appropriate rules are for that data. By associating the data assets with relevant owners, policies, classifications, and DG rules, users know right away how to leverage this information.
It is vital to integrate policies into existing tools, and it will additionally train your teams as they go without explicitly driving them to a formal training session. Another benefit of this integration is that it supercharges auditability of the security and compliance program by improving visibility into where these policies are being used effectively by the department or use case.
This integration will enable you to capture consumption metrics for your clearly documented policies and protocols; thereby empowering the security team to share success stories. Sharing success stories functions as a flywheel because it will also reaffirm the value of your program and encourage users to leverage those self-serve assets.
Just as trusted AI starts with trusted data, effective data security programs start with effective training. Here are some recommended best practices that Alation’s Customer Engagement Team recommends for how to leverage Alation to train your organization:
1. Use Alation’s Policies to document compliance standards for data in a clear, human-readable manner, which will reaffirm organizational standards for compliance. Embed a link to the longer-form policy for those data users who need it.
2. Associate policies to data objects and BI reports within Alation, so people know when the data they are using is governed by a specific policy (this will also encourage appropriate compliance behaviors).
3. Leverage Trust Flags to inform users, at the time of consumption, when a strict or critical data security classification applies to the data they are considering.
4. Integrate data security platform tools, like BigID and others, into Alation to automate the ingestion of security rules, classifications, owners, or policies.
5. Leverage Document Hubs as a self-serve platform where users can learn about available security/compliance training, policy changes, new policies or protocols, and who to reach out to with questions. Give users direct links to any associated tools that they need to protect company data appropriately.
Training your teams on data compliance and security requires constant engagement with data and business teams. Security teams must try to educate data consumers/producers on policies or protocols to secure your organization’s data and confirm compliance. This can be accomplished by having clear, human-readable policies, leveraging change management best practices, and by meeting data users where they are by integrating them into existing processes and software. It is also vital to measure the effectiveness of the data compliance and security program, which will reinforce the value of the program. Share the good news instead of waiting to be part of the bad news.
Curious to learn more about Alation for data compliance and security? Book a demo with us today.