Data Compliance

Move Fast And (Don't) Break Things

All around us, speed seems to be the metric by which we measure successful companies. But the truth is, many companies don’t have to make a trade-off anymore. There are ways that they can have it all—move fast and be responsible.

This article originally appeared on Forbes.com as part of Delphix CTO Eric Schrock’s ongoing column. See the original post here.

Over the past year, the narrative around enterprise data has taken a beating as a slew of breaches and cases of misuse hit the headlines. From Equifax to Uber, companies are prioritizing speed and innovation but neglecting thoughtfulness and security. Facebook, the giant that championed the motto "move fast and break things," has become the poster child of data misuse(Full disclosure: Facebook is a Delphix customer.)

For some, a singular goal of speed makes sense. But when it comes to organizations that hold the keys to copious amounts of data (in Facebook’s case, 2 billion people), valuing speed at the expense of privacy and security creates untenable risk. Sure, mistakes happen and freedom is central to experimentation, but "breaking things" isn't sustainable when the trust of millions of individuals is at stake.

All around us, speed seems to be the metric by which we measure successful companies. But the truth is, many companies don’t have to make a trade-off anymore. There are ways that they can have it all -- move fast and be responsible.

Develop Privacy Faster Than Your Products

It’s easy to get caught up in the day to day of product development and inadvertently deprioritize things like privacy. Movements like DevSecOps are helping bring a focus to security, but it's important to ensure data security and privacy stay top of mind. Even when it’s for something as simple as a tweak to a feature, take the time then to consider cause and effect on users and data. It’s far easier to make changes at this stage than weeks or even years into production.

One step teams can take is codifying policies that govern data access and delivery. Rather than asking an individual to determine whether “Ralph” should be able to access the latest product rollout in his Amazon Web Services (AWS) environment, companies should implement a system that combines the identity of the requestor, attributes of the data and nature of the request under a well-defined business policy. Codify these policies through tools like audit logs, encryption, consumer privacy commitments, access permissions and data masking.

Look At The Entire Ecosystem

In Mark Zuckerberg’s case, he admitted that Facebook’s leaders didn’t have the foresight to see how its product portfolio could be exploited. But in today’s connected world, companies that operate in silos are no longer revered. Whether it’s the CEO or the product manager, there has to be consistent communication across the organization about how data is accessed and how it flows. Taking the time to gather information from departments responsible for controlling data flow and security is critical. For example, having a monthly data session between executives and product teams that pinpoint ways the company can take a more rigorous approach to enforcing data protection could help map out vulnerabilities and also prevent damaging breaches.

If information is being shared across third parties, the executive team should be accountable for proper data handling. In Facebook’s case, once the data left its servers, it seems as though it had little control over what was being accessed and by whom. Companies have a duty to implement enforcement mechanisms, like audits of external developers, to ensure that data is not being misused.

Use Technology To Fill The Gaps

With the huge amount of data that companies hold, it’s impossible for humans to manage it all. Cases of human error happen all the time. Outages at Delta caused numerous flight cancellations and delays, and Amazon’s AWS suffered an outage that disrupted services for Netflix, Spotify and Expedia users.

Advanced technologies, like machine learning (ML) and artificial intelligence (AI) are examples of tools that can be used to fill data gaps that humans miss. For example, companies can use AI to sift out inappropriate language or detect parties that might be trying to access data they’re not privy to. IT automation can drive consistency across the organization, bring disparate systems together and free up IT resources to focus on new data issues.

Data involves sensitive info, from credit cards and social security numbers to personal images and voice data. Systems are humans are imperfect, and the best security tools don't help if an authorized user inappropriately uses that data. Technologies like data masking and sensitive data discovery are tools that mitigate risk as data flows across the enterprise.

Integrate Data Ethics Training

The technology landscape is changing rapidly, and few employees are familiar with the ethical implications of new techniques. The applications of computer science are so diverse and varied that there’s no all-encompassing set of standards they can to look to. Navigating what’s right and wrong when you’re moving fast and under pressure to meet project deadlines can add a ton of pressure and be a recipe for data breach or misuse.

Companies have a duty to provide their employees with training, and we’re seeing it outside industries, too. At the University of Stanford, a joint initiative by the students in computer science, Social Good and the Stanford AI Group offer a course on the ethical implications of AI as a way to get future computer scientists and engineers to think about the role of ethics tied to the products they’re creating.

Despite the need to move fast, people need to have downtime to think about the work they’re doing and whether it addresses data privacy and security concerns. We need to stop talking about ethics only when a massive breach happens and instead ensure that they’re ingrained in workflows and across developer communities to help form broader professional standards. Companies should provide their employees with this on-the-job learning.

In 2014, Facebook updated its motto to the less catchy “move fast with stable infrastructure.” While the company recognized that some aspects of the business should never be broken, it missed the most important one: customer trust. Companies must move fast to succeed but must be willing to slow down when it comes to data privacy. By making the right investments in people, process and technology -- and not just throwing up roadblocks to innovation -- they can move quickly, with less risk.