In this fourth and last installment of this blog series, we are exploring risk # 5 and 6 of BI self-service and how to overcome this. We are looking at security risk and deployment risk of creating PowerPockets in an organization in an environment where key people can create their own BI work products. By Dr. Berg
BI Self Service Risk 5: Security
With BI self-service, there is a significant risk that users will start sharing information with individuals that should not have access. This may lead to negative impacts to the organization and violations of corporate securities standards.
Figure 1 – BOBJ Central Management Console (CMC)
Recommendations:
1. Reinforce the rules for information sharing in all user training sessions. Users should be made aware of the risks, responsibilities and possible negative impac t of sharing information with unauthorized personnel. A formal BI security disclosure form that is signed by the designers and super users in the instructor led training (ILT) may be warranted to remind user of the corporate security rules around BI and information sharing.
2. If you are not already doing so, you should conduct a formal BI security audit annually. This is not only a segregation of duty (SOD) review, nor limited to the technical review of user roles in BW and BI. It also includes the review of the information sharing and publication within your company’s organizational units. This annual BI security review should be incorporated as a standard operating procedure by the existing IT security group.
BI Self-Service Risk 6: Power Pockets
In most companies, summarized data that is combined across many organizational units are primarily available to senior management. The power therefore resides at the CxO and VP levels of the organization.
For a large organization there is little incentive to share this information downwards in the company. When dashboard's are employed to middle management, they can combine this with operational details and start making sense of 'why things are happening', instead of looking at 'what happened'.
This shifts power within the organization and may make the senior management feel that they are not equally informed, nor have the time to look at all operational details.
Figure 2 – PowerPockets in the Organization
However, if dashboards are given to only some key designers within the business organization, 'power pockets' may be created. In this case, the dashboards can be used to concentrate power regardless of position within the organization. In short, deploying dashboards and BI tools to select 'super users’ can create significant incentives to withhold information and concentrate power.
Recommendations:
1. The best way to deploy dashboards is to take an open security view: Everyone has access to the data, unless there is a very good reason to restrict it (once assigned you have to enforce it).
2. I believe that the key to the success of the BI self-service initiative is that operational information is shared with the people who can make the change on the daily operation - middle management.
At the same time, financial information is shared only with the finance group and senior management (VP and CxO). While, complex dashboards are given to super users that are designated by the business management, not the IT department, nor to all requesting it.
To accomplish this, a formal BI and dashboard deployment diagram should be updated and mapped to security roles as part of the next phase of the project planning.
Next Week
Next week (Nov 1-4) I will be speaking at the Reporting and Analytics Conference in Las Vegas, as well as at the Xcelsius bootcamp. If you attend any of these events, please stop by ‘meet-the-experts’ table for a chat…
Dr. Berg