Miroslav Umlauf, Avast

Miroslav Umlauf (Avast): Showing customers how their data flows through the company should be the goal of all companies

Visualizing the way data flows through a company should be a major goal for all companies that work with data. And to be able to show it not only to themselves but especially to their customers. "I don't know of a company yet that can do this. But it's a huge challenge for the future," says Miroslav Umlauf, Chief Data Officer at Avast, where they implement data governance in the ADASTRA podcast.

  • How long does it take to put data governance into practice, and how can it be realistically measured?
  • And why is it not enough to have only top management dedicated to it?
  • What data strategy should companies choose?
  • Why is it advisable for companies to proactively communicate data leaks themselves as quickly as possible – perhaps as in Australia within tens of hours?

Listen to the podcast (CZ)

Read the podcast as an interview

Ivana Karhanová: Data leaks, blackmail, stolen accounts. This is how many people imagine the problem with data management. This black scenario is the most visible yet not so common phenomenon. We should be more interested in how companies handle our data within the organization, where and what they collect, what they do with it, whom they provide it to, and how they delete it. That’s why today’s guest is the man on the spot, Mirek Umlauf, Avast’s Chief Data Officer. Hello.

Mirek Umlauf: Hello.

Ivana Karhanová: Avast is now implementing data governance. What does data governance entail?

Mirek Umlauf: It can be described as everything we do in the company to keep data safe, to protect the privacy of those who entrust us with the data, i.e., our customers, but also our employees, partners. And, of course, it also involves making sure that the data is available at the right time for the right purpose, that it’s usable, because every company wants to be data-driven, and just because it has data doesn’t mean it’s data-driven. So data governance is also about making that data available to those who want to use it to make decisions to improve products.

Ivana Karhanová: Was the impetus for implementing data governance and strategy the hacking and Jumpshot issues Avast has dealt with in the last two years or did you deal with that earlier?

Mirek Umlauf: Usually, companies start by just wanting to use the data, so they start addressing use cases and how to improve the customer experience.

Ivana Karhanová: From my point of view, most of the time, they are primarily addressing GDPR to make it compliant.

Mirek Umlauf: GDPR data governance existed before because other companies in other industries like banks or telecom operators already had some regulations, of course. So the topic of data governance was not new to them. But companies in traditional retail were not regulated much, so the use of the data there was always more offensive. So the impetus for what helped me push for the systematic introduction of data governance and related technologies was certainly the GDPR. Then, of course, the incident with the hacker attack, when suddenly a company just needs to be sure what data it has, where it is, who has access to it. So every company needs to have that picture.

Ivana Karhanová: He said one important thing: you have managed to enforce a systematic approach. What is the difference here between a systematic and a non-systematic approach? How should I imagine this in practice?

Mirek Umlauf: It doesn’t necessarily mean that you have to implement a system right away, but data governance technology is important. A systematic approach will help. The first step is that a certain number of people in the company are obliged to start taking care of the data, document it, and develop a road map on how to improve the current state. That there is some road map, some roadmap of just seeing where we are now and where we probably should be. So that’s what I think is the prerequisite for then being able to approach this systematically. And that there are people there who can either devote themselves full time or largely devote themselves to it.

Ivana Karhanová: This is an IT issue in companies, and now not only in Avast but also in corporations in general. Or should the data and the debate about it at that point move out of IT and should go across other departments as well?

Mirek Umlauf: The debate about data, data privacy, about security in general, not only data security but also technology security, is not just an IT issue. IT is one of the means, so everybody has to be involved. Because if we move everything related to any system to one team, that approach will be very reactive, but companies need a very proactive approach, which is everybody’s concern.

Ivana Karhanová: When the Jumpshot case came up at the time, where the issue was that you were probably mishandling some of the data or the way customers had not given you consent, you didn’t deny much at that point. Do you feel that strategy is better for the customers and the investors?

Mirek Umlauf: You mean the strategy of not denying something? Transparency has been my mission at Avast for more than a year. At every moment, not only the company but also its customers should know what is happening with their data. Whether that was due to GDPR forcing companies to be more transparent or whether they chose to do it themselves is another matter, but that’s part of Avast’s business.

Ivana Karhanová: You also mentioned that you have managed to push data governance. Did the demand at Avast for better governance and data management eventually come from the top, or was it pushed from the bottom?

Mirek Umlauf: It was important to get a mass of people who could implement it from below. The strong demand came when stakeholders became interested in this topic. Shareholders expect the company to behave responsibly. Avast went public, so those expectations are much higher there than at privately-owned companies. And then, of course, it also became a top management priority that the company is responsible for what happens with data. So this has been very helpful in pushing the whole data governance agenda and making sure that there is a team called data governance and has this as a sort of full-time job.

Ivana Karhanová: When you look at other companies, you get the sense that management understands the importance of data governance. Or often, it has to be a negative event that actually, I don’t want to say, opens the eyes of the management but shows them that you can’t do it without it.

Mirek Umlauf: Because I have the opportunity to be in contact with other companies through speaking and training, I always do my research on how they work with data, and I notice that it’s not necessarily a screw-up that happens in that particular company, but when something happens in that particular industry to some other company, they pay attention. I had one seminar this year where everything moved from the earlier topic of how to use data for business intelligence to questions about how to secure it. So those companies are – partly because it’s a much talked about topic in the media – starting to look at what’s going on around them. And I think they’re also listening more, also because of a couple of cases here in our basin in terms of the data security behind ransomware.

Ivana Karhanová: When a company decides that they’re going to implement data governance and they’re going to do it properly, how long does that process take? Or what does that company have to start with?

Mirek Umlauf: This is very similar to when we talked about implementing business intelligence years ago and asking questions like when the project will end. It’s never going to end because, as the company develops, these activities have to develop. I approach it because I always wonder how mature we should be in a year, two years, or four years.

Ivana Karhanová: But you measure maturity. How do you validate it?

Mirek Umlauf: Fortunately, there are already a lot of industry standards for that. Just like you could measure maturity in business intelligence analytics years ago, there are now methodological procedures for measuring it in data governance. We took one of the approaches and measured ourselves with a self-assessment to see where we stand on the imaginary ladder. We have four dimensions (the 4Ps), how people in the company work with data, how they perceive data governance policy, what are simply the policies in the company, what are the processes, and what are the platforms that support data governance. We measured across those four dimensions, and we found, aha, here we are.

Ivana Karhanová: But we should probably be.

Mirek Umlauf: Higher. So we were looking at what will lead to that, how we get higher, and how we improve the maturity in terms of the perception of data governance among employees. We’re making progress on those four pillars, trying to move one step further every quarter. And to answer the question of how to start and roll out data governance in a company the size of ours, the moment we said, okay, let’s do this systematically, within six months, we had an organizational structure and a functional, regular, classic project management. We have a data governance platform a couple of months later, and new policies are in the pipeline. The biggest challenge is to get as many employees involved as possible. So we know that we have a plan for another 15 months where we need to onboard as many employees as possible into what we call data steward roles, because you can’t say that just like all the problems that a company has insecurity, IT will solve them in data governance as well. You can’t say it like this: you need many people to help you implement and maintain this in the company.

Ivana Karhanová: But you’re saying it’s a never-ending process if a company gets it right?

Mirek Umlauf: It gets from the project phase, and I think that should be 18 months, to some sort of business as usual. Then the company learns to assess the risks it’s discovering, so suddenly, it knows what data it has, what systems it has, where they are, and how the regulation is evolving. Maybe it knows the gaps that every company has simply against some regulatory requirements. Then it prioritizes: Is this a risk that we can still bear, or is it worth investing to minimize it in the short term or the longer term. So that’s then mature, responsible data governance, where I just know what my risks are, what my landscape is, and then it depends on what priority it has in the context of what everything else the company is doing.

Ivana Karhanová: What do you think most often prevents companies from starting to deal with that data the way they should? Is it feeling that it’s not that important, that they don’t necessarily need it for their business itself?

Mirek Umlauf: Now I think all companies realize that they have to do something with data. They have to start using it to succeed against the competition.

Ivana Karhanová: It’s one thing to start using it, but the other thing is what you mentioned – to have the data described, know where the data originates, what happens with it in the company, who has access to it. I have the feeling that in many companies, data policies are not yet developed in this way.

Mirek Umlauf: I’m sure data policies are not worked out like that, but I think that the moment a company starts using data in a green field, they suddenly say, “Wow, we can see how many customers we have, how they buy, what we could offer them. Here, the wow effect is always very short-lived with any data project because then suddenly somebody starts to see that maybe it’s not right, or there’s a problem, or it’s not available, or it doesn’t quite work for all use cases. So they started addressing the data quality issue, and suddenly everything beautiful that was there to see was not so beautiful, and now they need someone to address that. Most of the time, the process is that they’re like, yes, we have a nice report or some nice analysis, but it’s not quite repeatable now, and who’s going to address that. So they go through this sort of pissed-off phase: we’ve got it, and it’s not that great. So they start to ignore it at first, thinking they’re going to make decisions without data, but then maybe they come back to it. Well, it’s the same now that we have regulatory expectations – GDPR and other parts of the world’s other regulations – that the company can responsibly show customers what data it has on them. I sometimes ask some companies: what kind of data do you have on customers who come to your website and bought something from you? The answer is usually: Well, I have to ask that one, and he’ll ask someone else. So they don’t have one place to look to see what data they have.

Ivana Karhanová: Avast wanted to use data governance to regain customer trust. They wanted to regain investor trust, which had eroded for some time in the past years. But then you said that the other goals were an offensive strategy, where you were trying to sell more, and now you’ve moved into the defensive phase, where you realize the need to protect and properly handle that data. So how does that play out specifically?

Mirek Umlauf: You can’t choose to have just an offensive strategy or just a defensive strategy. It’s about balancing, and historically, most of the time, when smaller companies start working with data, they use offensive tactics to improve their competitive position. They want to have data analysts working with all the available data.

Ivana Karhanová: So you see a clear benefit there? I just have the data, and I sell more?

Mirek Umlauf: I have data, sell more, and improve the product.

Ivana Karhanová: But, I have the data, and I protect it – there is what benefit?

Mirek Umlauf: You don’t have to start with the fine that every company can face under GDPR or other regulations. But the fact that I have bad or incomplete data, or I just drop some information when collecting data, I can start making bad decisions, or I can offer customers a product that they already have. So the impact of not being able to prepare data or collect data well is huge and measurable on the actual running of the business and the customer experience.

Ivana Karhanová: Data not only needs to be collected, but companies should also know how to dispose of it in the right way. This means not only at the customer’s request that maybe they don’t want the data to be stored, but maybe the company itself needs to not store the data anymore and not have it at all. How does the data lifecycle work in this case, and how to dispose of it properly?

Mirek Umlauf: Getting rid of data is a topic that I think many companies will be dealing with for a long time. What GDPR came up with is that I can’t just keep all the data forever. There’s been something similar in other regulations, in the telecom law. If the system is designed to be able to get rid of the data, it’s not such a problem. The problem is that most systems have historically been designed so that something like complete data disposal is not supported by default. So to come up with a solution that would demonstrably erase that data for a company is a challenge that we are solving, and all the companies around us are solving. The starting point is knowing what data I have, where it is, then assigning a label to it, and how long I can keep it. It’s one thing to have some tax regulations, but it’s not just the regulation itself. It’s what I’m using it for. GDPR describes very nicely how long I can keep them.
When I collect them for a purpose, I should have them in my privacy policy, and then I have to go system by system. If those systems weren’t historically designed to forget the data, then come up with a technical solution and delete or anonymize the data. That’s a topic sometimes up for philosophical debate about what is sufficient anonymization. Because if I anonymize the data, then I can say that it’s no longer subject to GDPR or any regulation because it can’t go back to a specific individual. So the other way to get rid of data is to be able to anonymize it.

Ivana Karhanová: And do companies want to get rid of data because then you will miss it again? You can’t just have a blank field in your history or just no record.

Mirek Umlauf: It depends on what data I want to get rid of. Do I want to get rid of individual records that so-and-so bought this? Or, for the older data, do I just need to know that so-and-so made ten sales to five customers in some region on that day? So I can aggregate. A good approach is also to say what the data is, the aggregated information, and the very sensitive data where you can already see the individual record of that customer.

Ivana Karhanová: That means saying to yourself that we don’t actually need to keep that kind of detail for the long term, so we’re going to get rid of that data and just keep the anonymized data. From this point of view, it also reduces the risk of any attacks.

Mirek Umlauf: Exactly. Because nobody can steal the data that I don’t have. Then I’m dealing more with information security. Okay, so the information is commercially sensitive, but again, the sensitivity of that information decreases over time anyway. So four-year-old information that sold something somewhere may not be as attractive to an outsider.

Ivana Karhanová: Now that we’ve dug into data security, how can data governance help in cases that are not very common and companies not be afraid of them, but when they do happen, it’s a problem? I’m thinking of hacking attacks or ransomware, for example, that have occurred.

Mirek Umlauf: One of the deliverables that data governance has is actually the ability to know what data I have where, on what systems, and in what places. Then in those places, I should have some monitoring of who has access to that data, what it’s being used for, and if there’s ever an attack like that in the company, then actually the company knows where to look. So they know where the gold, the most sensitive data is.

Ivana Karhanová: On the other hand, a company should always know where its most valuable data is, right?

Mirek Umlauf: Well, of course, that’s true. A company should always know how much money it has, how much it has made, but I guess what happens to companies is that they just don’t always know it well.

Ivana Karhanová: If there is an attack or someone announces that they have carried out an attack, how should the company proceed?

Mirek Umlauf: Either the company detects the attack itself.

Ivana Karhanová: Yeah, that’s probably the better option.

Mirek Umlauf: That’s the best option. And of course, it can also learn about it from the outside, and then there has to be an investigation phase. So then that’s what incident response teams are for, and they should exist in those companies, and they should have access to the points from the systems from the network. And actually, start the investigation. Some regulators, for example, in Australia, only give maybe 72 hours for a company to report that something like this is happening. That time is awfully short, and it’s getting shorter. Of course, catching an attacker or an attack as soon as possible helps to avert real damage. It makes a difference if five records are lost or the whole database is lost, but all these attacks are very sophisticated. Suppose you look at the list of all the causes around the world. In that case, some of them are caused by such stupidity that somebody left some access open somewhere, others are very sophisticated, and the responses of those companies are beautifully documented. So, of course, the best response is not only to start investigating internally but to start communicating transparently about what is going on, rather than denying it. Some companies have been in denial for a long time and then basically disappeared from the market because it broke their neck.

Ivana Karhanová: Broke their necks what? Lost trust?

Mirek Umlauf: Lost trust, because the moment the data you bought a product gets into the hands of unauthorized people and the company denies it for a long time, you.

Ivana Karhanová: You don’t want anything to do with her anymore.

Mirek Umlauf: You just don’t want to. And then, of course, it gets out to the media, so those people realize that they trusted that company, and nobody even informed them about it. And there are a lot of cases like that around the worlád.

Ivana Karhanová: Could it happen that someone will blackmail you for having your data, even though they don’t have it?

Mirek Umlauf: Unfortunately, this is a common occurrence. I’m talking to smaller companies, start-ups, who are having this happen to them, and they’re suddenly saying: How do we react when someone writes to us that they have a database of a couple of our clients? Should we ignore it? We can’t ignore it because if there is something there, then always later on in the investigation, the company can show that they have always approached it responsibly, that they have a track record, that there is this case we’ve looked into it, and we haven’t detected anything.

Ivana Karhanová: Does that mean that the firm should be able to find out if the counterparty has the data?

Mirek Umlauf: They certainly shouldn’t sweep it under the table, and they should be able to check in their systems if it’s even possible for something like this to occur and have some sample data sent to them. But from what I’ve seen of a couple of these cases, it usually ended up with the attackers not sending a data sample, just sending extortion emails. But of course, it’s a tactic where at the very least, you’re going to make the company feel bad that they have to pursue this.

Ivana Karhanová: It just drains its capacity. Is this part of data governance as well?

Mirek Umlauf: This is part of information security. We have dedicated teams at Avast, but that’s the classic security red team, blue team, where on the one hand, they look for problems in our network. On the other hand, they respond to what appear to be problems and threats from the outside, and then, of course, it’s also the incident response team.

Ivana Karhanová: Let’s end today’s podcast with a little technology window. You mentioned at the beginning that, of course, technology could help with data governance. So what should companies go after, or what should they be interested in about technology? Probably not just writing Word and which role is responsible for which data, but I suppose it’s much more sophisticated.

Mirek Umlauf: Well, that’s a nice example because when you write something by hand, it’s usually out of date by the next day. For starters, it’s good to make an overview, a spreadsheet, of what my systems are. With the size of the company, I need to have a systematic approach to having a registry of applications and systems. Historically, there have been some tools for that, but they mostly looked at the fact that there was a system, but they didn’t really look at the content, and from a data governance perspective, it’s important what data is there, what it looks like, whether it’s protected.

Ivana Karhanová: Just knowing what a record means.

Mirek Umlauf: What is the meaning of the data in the system. It’s one thing to know what data is there and then what happens to it next, where it overflows. There are tools for that today.

Ivana Karhanová: That means some monitoring.

Mirek Umlauf: Maybe I wouldn’t call it monitoring exactly, but yes, knowing that there is data in system A and then some of it flows to system B, and something happens to it there. And then it goes into, for example, a data warehouse. That kind of visibility is good to have, even how the data flow somewhere and how it’s protected. Those three steps address data, data in motion, and data in use. This is what I should know as a company. There are technologies today that help automate this because if we were to do an exercise in any company and document this, I’m going to have exactly a spreadsheet that will be out of date in a week. And we all know that people don’t like to fill out spreadsheets, they have a lot of other work to do, and at the same time, you can’t do anything else with spreadsheets like that. You just see them. So we’ve approached this because we’ve deployed technology that – to oversimplify – knows about every system because it’s connected to it somehow. It can see what data is in there, and it can automate, do profiling, and detect if there’s sensitive personal data. So suddenly, we can see in that mass of database systems. We can prioritize: hey, so these are all places with really sensitive data. And at the same time, we can classify the data or the places and say, hey, this is probably where the data shouldn’t be, or we can see that there’s personal data, but it’s not protected somehow.

Ivana Karhanová: Does that mean that it also visualizes the journey of that data through the company?

Mirek Umlauf: That’s absolutely the ultimate goal, to show this visually. And, not only within the company, but I would like to show this to customers one day: look, you bought a product here, there’s this record of it, this is how it flowed through our systems, and one day it will disappear from here. So, I think that every company should have that goal, that all the data that customers entrust to it not just show to themselves, but show it to them if they’re serious about it.

Ivana Karhanová: So that’s the last question. Do you know any company that shows it to customers like that?

Mirek Umlauf: I don’t know yet, because I know that all companies have a problem seeing how the data is flowing, what is happening with the data. A company can show it in isolation within a system, but within the whole company, especially when it’s big, it’s a huge challenge. But I think that’s the way it should be. Today, the technology exists to do that – automation, hence the data governance platform. We need to automate it because an order is not made. Order is maintained. We need that order to be maintained, but keep telling people: keep order, that doesn’t work either. So that’s why the technology that.

Ivana Karhanová: It keeps order for them.

Mirek Umlauf: It helps to keep order, or it shows them: look, you have some data here, it’s not mapped, maybe it’s not secure, do something. This needs to be automated to scale.

Ivana Karhanová: Says Mirek Umlauf, Chief Data Officer at Avast. Thanks for joining today’s podcast. See you sometime.

Mirek Umlauf: Thank you for having me.