What’s your data strategy? Is it aggressive and innovative? Or focused on risk mitigation?

A few years ago, Tom Davenport characterized the work that CIOs and CDOs do regarding data as data offense and data defense. 

“Data offense focuses on supporting business objectives, such as increasing revenue, profitability, and customer satisfaction,” writes Davenport. “It typically includes activities that generate customer insights (data analysis and modeling, for example) or integrate disparate customer and market data to support managerial decision making through, for instance, interactive dashboards.” By contrast, “Defensive efforts ensure the integrity of data flowing through a company’s internal systems by identifying, standardizing, and governing authoritative data sources.”

In my language, defense is about all things that make data ready and safe for analysis. This includes fixing data, controlling its use, and the list goes on. Offense is about the use of data to make decisions or transform a business.

Honestly, in the past, I parked data governance solidly under defense. I’ve since learned that labeling governance this way creates a perception problem, making it harder to get the business to care about data governance. But recently, a colleague of mine challenged my thinking by suggesting that this view of data governance is too narrow and that data governance (like data management) has both offense and defense components.

Before digging into the implications of this big idea, let’s explore how data governance has changed in the last couple of years.

Changes in Data Governance Principles

Historically, CIOs hated data governance even though they considered it important (my recurring #CIOChats on Twitter brought this pattern to light). CIOs hated it because they either had to force governance top down on the organization or IT took on data governance itself. Both approaches often failed, and made the CIO feel like a villain in the process.

So, what should the purpose of data governance be? Data governance should be about the people, processes and technology that enable delivery of the right data to the right people at the right time to support data-driven decisions based upon trusted information, bridging the gap between data and the business. Effective data governance delivers data that has the following qualities:

  • Right source.
  • Right quality.
  • Certified to be trustworthy.
  • To the people who need it when they need it.
  • To make data driven decisions.

When governance is delivered in a system that captures feedback automatically, the entire governance mechanism can improve with time — and guide people to smarter data usage. New approaches to data governance are built on four principles:

data governance principles

People-first governance is the opposite of being forced. It uses intelligence to identify (1) the people that know data best and (2) the data that should be governed and how. People-first governance signals a shift in purpose; it is not about forcing people to govern data or locking people out from using it.

In many respects, the philosopher Jean Jacques Rousseau described legacy data governance when he said, “Man is born free but everywhere is in chains.” The legacy approach chained people to a limited view of governance — and restricted their behaviors. To free up data stewards, data governance needs to be built on an intelligence layer that makes it easier to steward data while making key processes autonomous. And finally, to truly improve, data governance needs to measure and monitor end-to-end performance so business objectives can be adjusted for the data governance program.

Related Article: Customer Data Management Is the Key to Consumer Trust, Profitability

Offensive vs. Defensive Data Governance

So, what does data governance that embraces offensive and defensive postures look like? Let’s look more closely at how each process differs.

Learning Opportunities


  • Demonstrates compliance with policies and governmental regulations.
  • Provides lineage to support and defend audits.
  • Records compliance with privacy and other regulatory expectations.
  • Confirms the provenance of the data.

Defensive data governance addresses audit and oversight requirements. It demonstrates compliance with policies, which typically address data trustworthiness, data quality or data accessibility. Effective defense requires lineage to demonstrate the trustworthiness of data sources used for a report or analysis. This includes data provenance or the tracing of the origin of a piece of information. All of this supports compliance and helps to make data ready for analysis.


  • Exploits data assets to deliver top-line value at the speed of business.
  • Aligns business definitions to measurements and metrics to drive alignment.
  • Calibrates trust in the data so decision-makers know it is appropriate to use.
  • Supports self-service and democratizes data so decision-making can be done faster.
  • Employs impact analysis of data products through data lineage.

Data Governance = Generating Business Value

Data governance offense, in contrast, is about generating business value from data. It recognizes that data is not captured but produced and must be fit for business purpose. In my discussions with CIOs and CDOs about cloud data warehousing, they insist that the move to the cloud needs to have a specific business purpose.

In this light, data governance offense supports the policies and maintenance of data insofar as these actions support that business purpose. Governance offense also emphasizes the management and improvement of data based on data quality findings. It creates descriptive metadata for produced data sets — which is valuable context for the business analyst. It can also speed up the time to value by setting up data the right way the first time.

So, what does this all mean? It means that appropriately constructed data governance has business value. It also means that data governance strategies can employ both offensive and defensive postures.

Clearly, this contrasts with legacy data governance approaches that were predominantly perceived through the lens of risk. While defensive data governance continues to have value, mixing in offensive strategy creates tangible business value — which is the reason to take the journey. And this means that data governance today is relevant to more than just risk-dominated businesses. Today, IT leaders have the basis to sell data governance to any business seeking to use AI or data more powerfully.

Related Article: Is Bad Data Ruining Your Customer Experience

Parting Words: Better Data, More Support

All companies that run on data need data governance. The problem in the past was that data governance was viewed exclusively through the lens of risk mitigation. Adding offense to the mix is a game-changer for data governance professionals. It helps enunciate the business value of data governance – and win crucial C-Suite support. 

Expenditure on risk reduction for many businesses has been difficult to justify. This is what I heard from CIOs after the Target Hack. Given this, I would like to suggest that organizations start by addressing the offense side of the equation. This will drive data governance faster because it organically builds an involved group of business stakeholders that get value and are willing to be proponents of protecting the value they help to create.

These “Future Ready” firms consider data as a strategic asset. For them, “data is a strategic asset that is shared and accessible to all in the firm that needs it.”

Learn how you can join our contributor community.