Infobesity: How Much Data is Too Much?
Many financial services firms have such vast hoards of data – much of it unclassified legacy data – that owning it causes more data governance challenges than the information is worth. Olivier Nautet, Group CISO at BNP Paribas, says that firms suffering “infobesity” must approach the challenge cross-functionally, with a view to operational resilience and compliance. Here’s what he says about slimming down safely, effectively, and within regulation.
Data decisions: Amassing data – especially information system and client data – forces decisions about encryption, classification, communication, usage, storage sites, environmental impact (data management takes a lot of electricity), and more. Making those decisions takes effort, but upcoming regulations will increase the pressure to make data management decisions.
Classification is key: Classification dictates how encryption is managed. The key is to establish principles to determine the data that’s most important and how to classify it. Nautet says to start by determining the types of data necessary for the business (your “crown jewels”) and the credentials that must be protected.
Protecting data is a collaborative effort: Data governance is a multi-team initiative including GTOs, DPOs, IT, cybersecurity, and the business. It’s up to IT to find the best solutions for data while the business determines what’s critical and what’s secret.
Minimum Viable Systems: Think of data governance as part of operational resilience – if an incident shuts you down, it will take time to restart from scratch – in terms of minimum viable systems. Include “everything you need to ensure that you won't interrupt the business” in the system, Nautet says, such as data, systems, third parties, and compliance requirements.
Will AI fix everything? AI will make classification easier – it can sort huge amounts of data – but you need to define the correct processes for all the different types of data you use and train your models well. Different types of data have different regulatory and governance requirements, and classification requires human judgment (especially around PII). And though AI sorts data quickly and the tooling is improving, AI may also help attackers locate encrypted data.
The challenge is scale: Data governance has to be done on a global scale, and it can be overwhelming. All the businesses, IT, and cybersecurity must work to select the data to delete while respecting all the regulations in all the jurisdictions you work in, and implement the right level of protection on the data you’re keeping. Slimming down is a data governance challenge that may require input from the whole organization.
FinCyber Today
FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.
Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.
Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.
© 2025 FS-ISAC, Inc. All rights reserved.
