Data Sharing Versus Cybersecurity: Understanding Data Criticality
A few months ago, as I was walking down the aisles of a professional fair for public sector decision makers, I noticed two main themes on display:
- Cybersecurity, from secure citizen identity verification to the resilience of systems and data to threats.
- Efficiency of public services, with an emphasis on the need to better leverage and share data.
As a public decision maker, I would be lost, if not paralysed by, the contradiction of being asked to modernise my systems and organisation through better use of data and data sharing, while being constantly reminded that cyberthreats (and cyber attacks) are everywhere.
The first months of 2023 have been characterised by two sub-topics that illustrate this bipolarity: digital sovereignty (a country’s capacity for self-determination and in some cases data protection and isolation) and generative AI (a platform’s capacity to have access to all the data you might collect and extract, and lever this information to turn it into intelligible insights).
To bring these together, we felt something was needed and that some well-implemented borders and security measures are needed to be reconsidered.
An Inflection Point in the Importance of Data
Governments have long classified data primarily on its sensitivity. The UK government’s security classification, for example, defines “the sensitivity of information (in terms of the likely impact resulting from compromise, loss or misuse) and the need to defend against a broad profile of applicable threats.” Based on that definition of sensitivity, UK government policy applies three levels of classification for government data: top secret, secret and official. The majority of EU governments have also classified the data they manage based on sensitivity.
This classification showed its limits in February 2022 when Ukraine rushed to identify and migrate strategic data assets critical for the government to enable operational continuity and bolster resilience. Previously, Ukrainian law required some government data to be stored in local servers in Ukraine, but this was changed a week before the invasion. Essential data has already been migrated from over 27 Ukrainian ministries.
IDC analysis shows the public sector is at an inflection point when it comes to the importance of data, and that it’s not only a matter of protecting sensitive data but also of anticipation. This is done by recognising data as a critical and strategic asset for governments to function more efficiently, effectively and resiliently to deliver the outcomes and security solutions that citizens expect, in times of crisis and on a daily basis.
A Framework to Facilitate Readiness
This has led us to create a framework that builds a new layer in data classification. In our Learning from Ukraine: Building a Framework to Safeguard Governments’ Critical Data, we recommend that governments not only classify and manage sensitive data but also critical and value-added data.
Critical data can be defined as data that if not accessible or not reliable can jeopardise a government’s ability to function in its daily activities and in times of crisis. It’s important to highlight this difference between classifying data based on the level of sensitivity and the level of criticality because some data sets have both characteristics.
For example, a criminal record is both sensitive (because it contains personal information) and critical for the criminal justice system to function. However, land registry data does not contain the most sensitive information but is critically important to determine jurisdictional boundaries, settle property disputes and assess the value of taxable assets.
Bringing Everyone on Board
Data sharing and interoperability and the building of European data spaces are vital here; sovereignty (the capacity to self-determine your action) should serve this cause and not get in the way, as it is often confused with security.
Sovereignty is a current concern as many government entities are seeking to update their cloud policies, such as the “Cloud au Centre” in France and “cloud first” in the UK. Some initiatives also promote interoperability, with Portugal’s eSPap government authority developing a platform for public entities.
These initiatives aim to bring more coherence to IT systems and enable new services in healthcare and security, for example.
Local governments are still trailing European or central governments when it comes to transformation, partly due to trust issues. We believe that enabling this new layer of criticality, and adapting our framework for every local public entity CIO, will be key to creating a common secure language.
To learn more about government’s role in safeguarding critical data, see our new study Learning from Ukraine: Building a Framework to Safeguard Governments’ Critical Data and join us at the IDC Government Xchange.
Web3 – Making a Business Case for the Next WWW
We define Web3 as “a collection of open technologies, including blockchain, and protocols to support the natively trusted use and storage of decentralised data, knowledge, and value” (IDC Market Perspective, March 2022). Based on blockchain, Web3 is often associated with NFTs and cryptocurrencies.
2022 Web3 Market Outlook
2022 was definitely the year of cryptocurrencies, for better or worse. Tech companies and VCs heavily invested in Web3/metaverse powered solutions — Web3 startups raised more than $7 billion in investments, focusing on NFTs in the first half and metaverse in the second and third quarters (Crunchbase).
NFTs were the next big thing to place data and content ownership on users and eliminate the need for big corporations’ intermediary role for a more decentralised web.
Highly volatile crypto valuation and regulatory issues arising from fraud and bankruptcy scandals (FTX as the most outstanding example) raised questions about the true added value that these applications of Web3 and the Metaverse can provide to industries. Cryptocurrency valuations critically shrunk throughout 2022. Bitcoin lost over 60% of its value (CoinMarketCap), and after the “honeymoon2” phase ended, NFT creators were forced to look for alternative solutions to monetise their work.
The markets remain fluid, however, with some IDC predictions calling for the global crypto lending market to reach $5 trillion by 2026, as cryptocurrency adoption becomes more commonplace (IDC FutureScape, October 2022). Recent developments in venture capital funds and international banks may provide new life and opportunities for cryptos and NFTs as markets show resilience.
So, one may ask, was it just hype?
Investment Drivers: Excitement vs. Use Cases
Investment in technology has been highly influenced by exaggerated excitement over new tech, boosting the hysterical race to find the “next big thing”. In 2022, there were cryptos and NFTs; 2023 is the year of generative AI.
However, investments were not always tied to applicable use cases or strategic business purposes, blurring the scenarios that new technologies can create and be applied to.
Web3 DApps
Web3’s applications are widely perceived as “just” cryptocurrencies and NFTs, to be exploited in trading and gaming. Sustaining the new version of a decentralised internet requires the deployment of several technologies whose interoperability allows interactions to be performed in a digital world.
Blockchain is the foundational technology of Web3. When applied to Web3, blockchain provides new ways of managing and owning digital data: token-based economics that supports digital assets allows interactions and transactions between users and entities.
Web3 apps, also known as dApps (decentralised applications), work on blockchain and decentralised users’ networks with direct interactions between users and direct access to data.
Smart Contracts
Smart contracts created with blockchains are expected to contribute to more transparent, cost efficient and secure transactions than conventionally regulated financial interactions. Decentralised infrastructure is aimed at decreasing threats of disruption and cyberattacks — the key benefits of decentralised control that potentially generates use cases in finance, supply chain and digital identity.
However, the scarcity of blockchain-based use cases in industries other than finance and supply chain management complicates the further development of the technology; the current use of smart contracts does not completely fulfil the potential of decentralisation.
Decentralised Infrastructures
Decentralised infrastructures, although a pillar of Web3 and blockchain, are increasingly showing flaws. A sort of U-turn back to centralised infrastructure of data and content has taken place, and the need for regulatory entities is revealed once again. While networks and infrastructures are decentralised, decentralised autonomous organisations (DAOs) were established to replace conventional regulators, as servers will inevitably be run by external players, not directly by users.
All these deficiencies, one may argue, could have been avoided by focusing less on what was trendy, and studying more all the features of these technologies that, if fully exploited, can benefit several industries besides finance.
Looking Forward: Was it Just Hype Then?
Web3 Use Cases
Hype cannot be the sole driver behind the growth and investments in Web3 and the related technologies. Too much weight was put on the explosion of cryptocurrencies, while more industry-specific use cases were often ignored.
The potential growth and development of Web3-based technologies (decentralised applications, the metaverse) could truly revolutionise the ways in which businesses operate and people live. The focus should be placed on concrete applications for these solutions, as well as on the other technologies and infrastructures that are foundational for the full implementation of Web3 technologies.
The rush towards the next big thing is already ongoing and well advanced, with Generative AI already on the horizon. But one may hope that the same urgency that was applied to Web3 and blockchain, whose potential for businesses can be truly disruptive, would leave room for a more strategic assessment of the full capabilities of the technology, if we look beyond the hype.
Web3 technologies are and should still be very much on the radar of tech companies — the one good thing resulting from the hype, as it keeps IT vendors interested and alert on the latest technology trends. The ultimate goal though needs to be to transition from hype to defined use cases and business outcomes.
Structured investments in new technologies should be driven by business goals and use cases that the technology can offer; the role that Web3 and blockchain-based technologies will play in the longer run needs to be defined by their effective applicability across sectors.
We constantly monitor what’s on the horizon, staying at the edge of the latest technology developments.
If you want to learn more about IDC’s take on Web3 and the metaverse, find the latest report here.
European Data Spaces: From Vision to Reality
The proliferation of data is transforming businesses and public administrations, and changing consumer experiences and society. The European Union has responded to the challenge with the ambitious European Strategy for Data (2020). One of the pillars of the strategy is the creation of common European data spaces in strategic economic sectors and domains of public interest.
Europe’s strategic data spaces vision is the next stage of evolution of data sharing. Rather than happening only within the boundaries of one organisation or through bilateral contractual agreements that are costly to manage and not conducive to innovation, data sharing must scale to multilateral exchanges, including beyond industry boundaries.
Building on the experience of the European research community with the European Open Science Cloud, the European Strategy for Data proposes an additional nine data spaces. Since the EU Strategy for Data also left the door open for other data spaces to emerge, other EU preparatory actions are planting the seeds for the development of data spaces in adjacent domains, such as cultural heritage, language, media, smart cities and tourism.
The key features of data spaces are:
- Federated technology capabilities that dynamically match data demand and supply in a trustworthy and energy-efficient manner
- Governance policies and processes for secure, transparent, non-discriminatory and fair participation of every data user and data provider
- The ability to make good quality, interoperable data available within and across industries, for non-profit/altruistic purposes, for-profit purposes or both, in compliance with EU regulation
Accelerating Data Sharing
The bold vision for European data spaces still has some way to go. IDC’s research on the future of industry ecosystems (subscription required) found that over 90% of public and private sector organisations globally share data with external partners, but only 30% do it in a consistent and strategic manner, instead of only when strictly necessary and mandated by law. Among European governments, only 22% of organisations have established public-private collaborations to share data for the public interest. There are many digital sovereignty, governance, semantic and technical interoperability challenges to overcome to fully achieve the European data spaces vision. Nonetheless, many actions are accelerating the realisation of the vision:
- European Union grants funding for coordination and support actions, such as DATES
- Implementation of new regulation, such as the Data Governance Act
- Implementation of industry-specific European regulations, such as the Commission Delegated Regulation (EU) 2017/1926 regarding the provision of multimodal travel information services
- Multilateral initiatives, such as GAIA-X
- Individual country platforms that could then be federated across Europe, such as the smart tourism data platforms being developed by the Italian and Spanish governments
- Individual countries’ investments in digital sovereign computing infrastructure that can support data spaces
We expect data spaces to be realised through different architectural and operating models. For example, some of them could consist of a set of common standards maintained by a non-profit association, while others could be based on a federation of national data platforms operated by member states’ governments that build ad hoc integrations for cross-border data exchange. They could also be centred on a joint platform, owned by one or multiple large private sector enterprises that operate as the anchor for a data space.
The Role of European Government in Data Spaces
As these architectural road maps and operating models evolve, it’s important that European governments take an active role in influencing the trajectory. Governments can play five roles in shaping the future of data spaces:
- Regulator. Governments act as policymakers to set the rules (laws, policies, standards, etc.) for deploying, operating and participating in data spaces.
- Operator. Governments provide the core data space platform services such as onboarding, identity management, data aggregation, data catalogues, data access and billing.
- Enabler. Governments fund and/or provide data space platform infrastructure such as connectivity, cloud and edge computing.
- Data providers. Governments supply data to the data spaces.
- Data users. Governments consume data from the data spaces.
Senior government leaders should not just wait and see for EU-wide regulations and programmes to define the European data spaces road map. They should take a proactive approach to realise the benefits of data sharing by:
- Evaluating what role they want to play to maximise the benefits for the public sector and to incentivise private sector contribution, while setting the example in terms of protecting personal data, intellectual property and digital sovereignty
- Working with the private sector to identify priority use cases, business models, governance models and technical blueprints that accelerate deployment in a secure manner
- Collaborating with technology suppliers and academia to accelerate development of technologies that enable trusted data sharing in federated, heterogeneous environments
- Collaborating with enterprises and industry associations to prioritise the data space in which it makes sense for governments to take an operator or enabler role
- Nurturing organisational competencies and culture that foster data spaces
If you want to learn more about the role governments can play and the capabilities they need for data spaces, read our new study (subscription required) and join us at the IDC Government Xchange.
IT as a Value Adder Instead of a Cost Center
Ways to Make IT Seen As a Customer Focused, High Quality Face of the Organization
Organizations regularly complain about the cost level of their IT department. This is by no means a new phenomenon. At IDC, we continuously assist IT managers dealing with challenging cost reduction targets. I find that these cost reduction targets are often determined bluntly, and IT departments have trouble in demonstrating their true value to the organization.
Run and Change: Commodity and Adding Value
The first step to take is making a well-considered distinction between the ‘run’ and ‘change’ parts of the IT budget. In other words, appreciate the difference between keeping the automation of the organization running and enabling the organization to innovate.
- The running of the automation should be the subject of continuous cost saving projects and optimization. Regular benchmarks and a fitting sourcing strategy are important tools to optimize this part of your IT.
- On the other hand, we have ‘change’, the innovation. This is where the strategic added value of IT lives. The added value is often found in software development, allowing for digitization of certain process to save cost in the primary functions of the business or to innovate in other ways, such as bringing new products to market faster.
Download Checklist: 5 Insights For New CIOs
What Are Other Ways for IT to Shine Within the Organization?
User Satisfaction
Another way to present IT as an adder of value instead of a cost center is through user satisfaction. In nearly every IT procurement project guided by IDC, user experience is a major theme. Key steps to take in improving user satisfaction is through simplifying technology and improving user IT practices. These practices like self-service portals, instructional videos, FAQs, and user training improve user self-sufficiency through automation and education. Our benchmark data teaches us that successful implementation of these practices can have spectacular results on both the service desk workload and user satisfaction rating.
Consider the Employee Instead of the User
After implementing these practices, which many organizations have successfully done, an IT organization has the opportunity to engage the employee to add more value during their time with the organization. Yes, we have now transitioned from user satisfaction to employee satisfaction. After all, a user is more than a workplace account. Cooperation with other supporting functions of the organization, such as human resources, becomes an opportunity.
Employees are motivated by more than salary and vacation time. The feeling of purpose and corporate social responsibility are crucial factors for many employees to really connect with their employer and experience satisfaction in their careers. In the work from home climate that we have experienced since early 2020, this connection is at risk.
“In nearly every IT procurement project guided by IDC, user experience is a major theme.”
The logistical processes of the IT organization can play a cost-efficient role in engaging the remote worker. To supply offices with the right hardware and services, IT knows logistical services such as ‘on-site support’ and ‘IMACD’ (install, move, add, change, dispose). During the pandemic, these services have modified somewhat for some organizations as many workers changed their work location. Especially now, these logistical processes allow the organization to engage their remote workers. Take, for example, the onboarding of new employees. When IT delivers the required hardware, why not integrate with HR and include a handwritten note from the manager and overviews of the company culture and mission. With some real attention and coordination with other departments, IT can deliver a warm and welcoming experience at no additional cost.
In summary, if the cards are played right, IT can be seen as a value adding function instead of a cost center. The logistical processes are already in place to position IT as the customer focused, high quality face of the organization towards the employee. If a transparent dialogue between IT and the rest of the organization about the cost level is also in place, the relationship is bound to become value based instead of cost based.
The first 90 days on the job are crucial. IDC’s checklist for building a foundation for Application Portfolio Analytics and using fact-based metrics will help you elevate and establish yourself to be as effective as you need to be.