While data security continues to grab headlines, further legislation is pending as the demand for professionals in data governance grows fast, says Anne-Marie Walsh of Hays.
It seems like a week doesn’t pass without another news story about a data security breach. Whether it’s bugging in the Garda Ombudsman offices or the WikiLeaks scandal, sensitive information is being stolen and taken advantage of by cybercriminals.
In the corporate world it is just as prevalent. At the end of last year, SuperValu experienced a security breach involving its ‘Getaway Breaks’ loyalty scheme, with more than 60,000 customers’ financial information put at risk. Recently, Domino’s Pizza French database was hacked, containing information from more than 600,000 customers.
Our own private lives give an indication of how much data we are imparting to companies nowadays and the plethora of passwords and pin codes we use. Organisations are constantly gathering metadata about what we look at and buy, where we visit and who we interact with. This data needs to be secured and companies are under increasing pressure to ensure they are carrying out the correct due diligence. Companies need to have a watertight compliance process otherwise they leave themselves open to serious legal threats and potentially financial disaster. For example Epsilon, an American email marketing services company, experienced a data breach in 2011 that might yet cost the company as much as US$4bn.
Subsequently, organisations are putting an increased focus on data governance with a corresponding rise in jobs that relate to governance risk and control (GRC). GRC covers IT auditing, information security, forensics, data protection, compliance and data governance.
Down the road
However, a more pertinent reason for a rise in roles in this area, particularly among larger organisations, appears to be the anticipation of data-protection legislation which is due to come into effect in 2014. The days of self-regulation are coming to an end if the Data Protection Commissioner’s Statement of Strategy for 2014-2016 is to be believed. It clearly defines the types of organisations it will be auditing and the standards expected of them.
The Data Protection Commissioner will “take proactive measures to improve levels of compliance with data-protection obligations, using existing powers and any additional powers conferred by law” and “audit a wide range of organisations drawn from across the public, private and voluntary sectors giving priority to information-rich multinational companies providing services from Ireland to EU residents”, according to the statement.
It has yet to be confirmed what these “additional powers conferred by law” will be and whether they will be judicial or fiscal in nature. Either way, it looks like they will certainly take a toll on an organisation’s bottom line.
Alan Rafferty, formerly of Bank of Ireland, GM, Goldman Sacs, and now COO of Avvio.com says, “You need to know you’re secure, be able to say how you know that and be able to prove it when you need to.”
I recruit for business intelligence and data analytics specialists in Hays IT and I’ve noticed a lot of media coverage around the increase of ‘big data’ jobs, however, there has been less attention given to the activity around data governance, risk and compliance. From a recruitment perspective, we’re seeing a lot of jobs, particularly an increase in demand for IT auditors.
A candidate will typically have experience in a large consultancy and is looking to move into industry. Employers are asking for CISA or CISSP certification but some companies are offering them as part of their training. Graduates with a solid infrastructure background are of particular interest. I’ve noticed consultancies are hiring more and more professionals to consult in IT security and forensics and I foresee industry developing this talent themselves.
In addition to IT audit, there has been a steady flow of data governance and compliance roles, up to senior level. Candidates with either a strong IT or audit background are required to provide a consultative assessment to companies in terms of their data policies and the inherent threats, while aligning these policies to best practice and current legal requirements. Hiring companies are looking for candidates to be able to get ‘hands-on’ with the data, so an IT background is more attractive.
In the US, organisations are looking for COOs with exposure to GRC and we are seeing a number of candidates on the market in Ireland who are experienced data protection and data programme managers. These candidates have experience consulting on data governance issues across large organisations. They would have an equally impressive background in IT audit, security and legislation, such as the Sarbanes-Oxley Act, and familiarity with the relevant predominant frameworks, such as Cobit, ITIL, PCI and DSS.
There are a number of routes into this area of IT with a mixture of candidates coming from IT, legal and business backgrounds. GRC opportunities will only continue to grow as companies are placing more and more importance on their data analysis and as cybersecurity threats increase in occurrence and sophistication.
Anne-Marie Walsh is a senior consultant for Hays IT, recruiting in the areas of business intelligence and data analytics professionals. She also specialises in C level and executive recruitment.
Data governance image via Shutterstock