ISACA has just released a new paper on big data that I like and recommend. (Full disclosure: I reviewed and provided feedback on a draft).
What I most like is one of the key messages: it may be riskier to ignore big data than implement it. This captures my belief that the value that can be obtained by the intelligent and creative use of analytics against the massive data sets that are available to every organization far outweighs both the cost of the effort and any associated risk.
Most organizations recognize that there is value in big data, although in practice that value is usually limited by their ability to define the critical business questions that can be answered by the use of this wonderful new tool. Organizations are also limited by their belief that they are constrained by inadequacies in their corporate systems.
My view is that almost any organization, no matter the size or type, not only can but should be taking advantage of the immense possibilities with big data. Not doing so indicates a lack of imagination and resolve. Internal auditors, information security practitioners, risk professionals, and executives should not allow risks to blind them to the great values and possibilities.
Here are a few excerpts from the paper:
“New analytics tools and methods are expanding the possibilities for how enterprises can derive value from existing data within their organizations and from freely available external information sources, such as software as a service (SaaS), social media and commercial data sources. While traditional business intelligence has generally targeted ‘structured data’ that can be easily parsed and analyzed, advances in analytics methods now allow examination of more varied data types.”
“Information security, audit and governance professionals should take a holistic approach and understand the business case of big data analytics and the potential technical risk when evaluating the use and deployment of big data analytics in their organizations.”
“For information security, audit and governance professionals, lack of clarity about the business case may stifle organizational success and lead to role and responsibility confusion.”
“By looking at how these analytics techniques are transforming enterprises in real-world scenarios, the value becomes apparent as enterprises start to realize dramatic gains in the efficiency, efficacy and performance of mission-critical business processes.”
“Understanding this business case can help security, audit and governance practitioners in two ways: it helps them to understand the motivation and rationale driving their business partners who want to apply big data analytics techniques within their enterprises;, and it helps balance the risk equation so that technical risk and business risk are addressed. Specifically, while some new areas of technical risk may arise as a result of more voluminous and concentrated data, the business consequences of not adopting big data analytics may outweigh the technology risk.”
My friends and former colleagues at SAP have chimed in with an emphasis on the increased value when more sophisticated tools, especially “predictive analytics,” are used to mine and produce information from big data.
The SAP paper on this topic, “Predicting the future of Predictive Analytics” makes the point well. Here are some wise thoughts, from a personal correspondence with SAP executive James Fisher, that focus on the risk of using analytics and big data without making sure that the information you are using to run the business is reliable:
“The opportunity of big data is huge, and the biggest analytical opportunity I see within that is the use of predictive analytics. The data shows companies favor taking advantage of the opportunities in front of them rather than minimizing risk. Technology is playing a role here and making predictive capabilities even easier to use, embedding them in business processes and automating model creation. SAP is, of course, in a position to deliver all this. The added question to ask (and this is really my view) is this: Does this introduce an inherent risk in that people who don’t know what they are looking at blindly follow what the data says? When you read a weather forecast you immediately sanity check what it says by looking out the window—is everyone doing the same with data?”
Norman Marks, CISA, CISM, CGEIT, CRISC
Member of ISACA’s Emerging Business and Technology Committee
*A version of this post originally appeared in Norman’s blog.
Continue the conversation in the Big Data topic within ISACA’s Knowledge Center.