The Case for a Data Governance Framework: Part 2

In our last article, The Case for a Data Governance Framework: Part One, we asserted that a cyber attack is a matter of “not if, but when”.  We shone a light on the global scale of cybercrime being bigger than the drug industry. We outlined the horrendous scamming practice of ‘Pig Butchering’ and posited that cybercrime is a transnational issue requiring a global response.  

But while cybercrime is an overwhelming global challenge, all businesses – large and small – have a part to play. In this article, we describe what a good Data Governance Framework looks like and the role business leaders must take in the fight against cybercrime.  

In today’s digital economy, data is not just a corporate asset – it’s the lifeblood of business operations, decision-making, and innovation. Yet, many organisations struggle to manage their data effectively, exposing themselves to cybersecurity threats, regulatory risks, and reputational damage. 

Recent high-profile breaches at companies like Optus and Medibank highlight a harsh reality: without a robust data governance framework, organisations are at the mercy of cybercriminals, regulatory scrutiny, and operational chaos. 

So, what does an effective data governance framework look like? How can businesses take control of their data assets to drive competitive advantage while ensuring security and compliance? 

Data governance is not just an IT issue – it is a board-level priority. For a framework to be truly effective, the board of directors must take ownership and integrate data governance into key strategic documents. The corporate strategy should outline how data will be leveraged for competitive advantage while also ensuring security and compliance. The organisation’s Risk Appetite Statement (RAS) should define tolerance for cybersecurity, data privacy, and AI risks. Additionally, the Risk and Opportunity Management Framework (ROMF) must clarify how data governance fits into broader enterprise risk management. 

Many companies treat data governance as an afterthought, leading to costly breaches. To avoid this, businesses must instil a culture of accountability where leadership proactively manages data risks rather than reacting to crises. 

To govern data effectively, an organisation must first understand its data landscape. This requires answering critical questions such as where corporate data is stored, whether it is secure and private, and if the company can prove its security to regulators and customers. It is also crucial to determine whether data should be categorised, segmented, or anonymised and whether the organisation is holding sensitive personal information (PII) longer than necessary. 

Organisations must also assess whether third parties have access to their data and, if so, ensure that existing contracts reflect the company’s governance policies. Conducting a company-wide data audit is essential. Without a clear picture of where data resides and who controls it, businesses remain vulnerable to leaks, compliance failures, and reputational damage. 

Policies should not just exist on paper; they must be clear, enforced, and regularly updated. A robust data governance framework includes cybersecurity policies that define what data must be stored and for how long. Privacy policies should clarify whether customer data can be deleted upon request. Additionally, companies must establish generative AI policies that dictate when and how AI tools can be used in business operations. 

For instance, can AI-powered tools be used to record Teams meetings? Should customer interactions be AI-assisted without explicit consent? These policies must be documented, communicated, and regularly reported to the board and executive team. Without clear policies, organisations risk exposing themselves to compliance failures and breaches.

A robust data governance framework is not just about preventing cyber threats—it is about responding to them effectively. Every business needs a Cyber Incident Response Plan (CIRP) that clearly defines roles and responsibilities in the event of a breach. It should outline who needs to be notified, including customers, regulators, and internal teams. It must also specify how to isolate and contain threats to minimise damage and establish post-incident recovery steps to ensure business continuity. 

Many organisations only think about incident response after a breach occurs, but by then, it is too late. Proactively testing response plans through simulations can mean the difference between a controlled event and a full-scale disaster. Having a well-defined incident response plan in place is critical to reducing downtime and mitigating financial losses.

Cyber insurance used to be considered too expensive and not worth the hassle. However, this perspective has shifted. Leading cyber insurers now offer rapid breach response teams, providing instant access to expert support during an attack. The challenge for businesses is determining how much coverage is enough. 

A company’s cyber risk exposure depends on multiple factors, including phishing and social engineering attacks, ransomware, and identity theft. To determine appropriate coverage, businesses must calculate the full financial impact of a cyber incident. The cost of downtime can be significant. A cyberattack that shuts down operations for a week could cost a mid-sized company over $100,000. 

Data breach costs must also be considered. IBM estimates that the average cost per exposed record is $165. If 10,000 records are stolen, that amounts to $1.65 million in damages. Ransomware and recovery costs are another major factor, with ransom demands ranging from $100,000 to several million dollars. IT recovery costs, including forensic investigations and software updates, typically range between $250,000 and $500,000. 

Legal fees and regulatory fines further add to the financial burden. Updates to Australian data privacy regulations mean that companies failing to implement proper data governance controls could face substantial penalties. Additionally, reputational damage could result in customer departures and revenue declines of three to five percent due to a loss of trust. Given these risks, cyber insurance is no longer a luxury—it is a necessity.

Data privacy regulations are evolving rapidly, and businesses must stay ahead to avoid costly penalties. The data regulation environment is tightening. Failure to comply with new regulations may result in heavy fines and reputational damage. However, compliance is not just about avoiding financial penalties – it is about maintaining customer trust. In an era where data privacy expectations are higher than ever, businesses that prioritise compliance will gain a competitive advantage.

Building an effective data governance framework is not just about checking boxes—it is about creating a resilient, data-driven organisation. A strong framework ensures that data governance is embedded in corporate strategy, risk management, and board oversight. Organisations must have visibility into their data, knowing where it is stored, who has access, and how it is protected. 

Clear policies on cybersecurity, privacy, and AI must be defined, enforced, and regularly reviewed. Companies must also have a tested cyber incident response plan in place to handle breaches effectively. Cyber insurance should align with the organisation’s risk exposure, ensuring financial resilience in the face of an attack. Finally, staying ahead of evolving data laws will help businesses mitigate legal and financial risks while maintaining customer trust. 

As businesses navigate an increasingly complex digital landscape, effective data governance is no longer optional – it is a competitive advantage. Organisations that take control of their data today will be the ones who survive, thrive, and lead tomorrow. 

Bill Owens, Managing Director of Veracity, has decades of experience in global business consulting and technology and is committed to raising digital literacy levels of business leaders across Australia. Bill often presents to Boards and senior leaders on data governance, privacy, AI, and cybersecurity to help leaders feel at ease discussing and making decisions about tech and IT.

Continue the conversation on LinkedIn at Digital Literacy for Leaders.