Fisher Funds’ Data and Information Security Officer, Gladwin Mendez, shares his experiences and ‘top tips’ for success from his first three months in his new role
Senior leadership had been calling out to me for a while, when I was presented with the opportunity to drive and see the change for Fisher Funds, New Zealand’s fourth largest superannuation/Kiwisaver provider. An opportunity to own and shape the company’s data and security landscape to make a difference was too good to turn down.
I decided to take a five-step approach to hit the ground running: 1) discover, 2) assess, 3) align, 4) report and 5) implement.
Step 1: The Discovery Phase
We all want to make an impact quickly. However, the concept of a CDO or CDAO is still a relatively new concept for most New Zealand organizations. There are few of us, and few non-data execs fully know what one does.
It was always going to be vital for my success in the role that I truly understood our business and our people. A focus on understanding our company and our people was the first thing I prioritized. The aim: to learn from them and also educate people about my role.
I got the good old org chart, mapped out key stakeholders and their righthand people across the building and set off to meet with them.
I interviewed a good cross section of people to understand their frustrations around data and security (current state) and what their ‘nirvana’ looked like (future state).
“I wanted to understand what the lay of the land looks like and identify the gaps and opportunities from documentation, interviews and first-hand observations”Gladwin Mendez, Data and Information Security Officer, Fisher Funds
Note: Don’t cherry pick only positive stakeholders when undertaking this kind of exercise. Pick the biggest detractors, too. They will tell you the problems that exist, warts and all.
Some of the best interviews and insights I gleaned were from them and, from experience, they’re the ones who will support you most when the chips are down. They understand that you’re turning the dial to help them, the organization and its clients.
Step 2: Assessing the Current State of Affairs
Being able to convert all the qualitative information (and a fire hydrant flow of it there was, too) into quantitative information was key. Data people are often bad at measuring things. But the risk of not having quantitative information was that I might become just another person with an opinion.
I focused on distilling down all the information into measures. There are numerous data capability maturity models out there. Pick one you’re comfortable with and consider using that.
In my case I used the Mike 2.0. But there are numerous others you can use. As with any standard or framework, if you’ve selected a robust one, they can be interchangeable and remapped. So, pick one. Then, measure and benchmark going forward.
Step 3: Aligning with the Business Strategy
Alignment to company strategy – its people, processes, systems and data – is key. For example, if a digital strategy exists, the data strategy must align with it, because you can’t do digital without data.
A significant misalignment in any of those areas is going to hamstring efforts and set you up for failure. Meanwhile, aligning your data strategy with wider organizational goals helps you prioritize what needs to happen in the short-term, mid-term and long-term.
“I was very fortunate to have an engaged board and execs, who I engaged with on a regular basis, a good team and partners to support me”Gladwin Mendez, Data and Information Security Officer, Fisher Funds
For example, consider my second hat – security. The current global security landscape feels like the wild west, with data breaches occurring frequently. Security of data is key and is everyone’s responsibility. However, building the right culture is part science and part art, and all about alignment.
Having the best quality data in the world means nothing, if there’s a data breach and we lose the trust of our clients. So, I had to ensure that our security landscape was sufficiently secure to protect our customers, our employees and our organization.
This meant managing our security and data risks, ensuring the residual risks were within tolerance. Again, a focus on people, education culture and building up our security resilience was a key priority.
Step 4: Reporting My Findings and Data Roadmap
Knowledge is power, but only if shared. Reporting back on my findings to senior management, outlining what they needed to be aware of and what they needed to do was essential for securing buy-in for my plans.
I was entrusted with this senior role and it required me to show them that we had a plan to deliver value quickly and pragmatically. I presented our current state, my draft data strategy and roadmap, and socialized it with the senior leadership team for feedback.
A ‘one enterprise’ view was critical for delivering a view of the full data value lifecycle to the various executives. Some hadn’t realized what a big impact their actions upstream have on teams downstream.
“A simple, easy-to-understand strategy was critical. Everyone has seen strategies that are hundreds of pages long, that people then put in a drawer and never look at again”Gladwin Mendez, Data and Information Security Officer, Fisher Funds
For simplicity and transparency, I took a ‘principles-based’ approach that specified objectives and ‘key results’ (OKRs) alongside a draft roadmap on a single page. The US Department of Defense’s data strategy opens with an example of the approach I’m talking about.
I included a clear message to the executive and an acknowledgement that the strategy will evolve quarter to quarter as priorities change. A mentality of ‘fail fast and safely’ was communicated, stressing that improving and learning is what’s important.
Crucially, I cautioned against the most dangerous words any change leader can hear: “We’ve always done it this way.”
Step 5: Implementation Begins Right Away
Just because a guiding light or strategy needs to be created, doesn’t mean you stop making change. If something can be improved pragmatically and sustainably, get on with it from day one.
Realistically, you will never get everything lined up 100%. But 80% is good enough. (Depending on what it is, mind you. Regulatory reporting, for example, has little wiggle room).
My Key Takeaways
- People are key. As a leader, you need your finger on the pulse of your people and organization. Walk the floors and understand actual work processes
- Be pragmatic: 80/20 it. There’s no use investing significant effort and time to create a ‘perfect’ strategy. Start, learn, adapt and iterate your strategy agilely and quickly
- Deliver value quickly. Don’t get paralyzed with the volume of information and decisions. It’s better to learn 10 different ways something doesn’t work in a month than one thing that works 12 months down the track