CIOs Consider Putting a Price Tag on Data
- 23 June, 2014 22:48
We know in our gut that data has value. No company can run without it. But what is it really worth? As CEOs realize that data is an asset that can be exploited as a new source of revenue, they will start to ask CIOs about its financial potential. Responding with a shrug and a shot in the dark won't exactly enhance your own value in the CEO's eyes.
Patents, trademarks and other forms of intellectual property have long been accounted for as intangible assets in a company's financial reports. But those numbers are only estimates that may or may not include more mundane kinds of information, such as customer profiles. That's partly because no standard method or accounting procedure exists for putting a dollar value on data.
See Sidebar: Dollars for Data at the end of this article
"It's frustrating that companies have a better sense of the value of their office furniture than their information assets," says Doug Laney, a Gartner analyst who studies information economics. "CIOs are so busy with apps and infrastructure and resourcing that very few of them have cycles to think about it."
But now is the time. The chief supply chain officer knows the value of his factories. The CFO knows the size of the company's debt and, to the penny, its cash on hand. The CEO knows the company's closing stock price on any given day. CIOs need to know the value of the "I" in their title.
Follow everything from CIO on Twitter @CIOonline.
You'll be a more strategic player if you do, says Andreas Weigend, a Stanford lecturer and consultant on data value and consumer behavior to Lufthansa, MasterCard and United HealthCare, among others. "Be curious," he urges. After all, information is a competitive asset to insure, secure and develop. And knowing its value means you'll have better answers when fellow members of the C-suite want to quantify the risks and rewards of creating new products and services from internal data. Here's how to get started.
Can't Touch This
in the 1930s, when the newly formed Securities and Exchange Commission demanded that public companies account for their true costs and profits in regular reports, most of their assets were physical--machines, factories, buildings, land--and assessing their value was straightforward. Now the most important assets for many companies are comparatively abstract and may include patents, copyrights and trademarks.
Increasingly, a good chunk of the value of a company lies in the fields of a database and in secret algorithms used to cut and combine data to reveal new insights. Think of Acxiom, Equifax, or Dun and Bradstreet, companies that only buy and sell information--nothing you can touch. These data brokers already know what their information is worth: whatever it will fetch in the free market.
It used to be that technology and data officers gave CEOs historical data so they could spot trends. That's not good enough now, says Paul Ballew, global chief data and analytic officer at Dun and Bradstreet. "This phase requires us to talk about business outcomes [from data]. If you can't do that, you are a cost center."
Top executives across industries, though, typically overestimate how much and how well they measure the value of their data, says Gartner's Laney. About one-quarter of 410 senior leaders surveyed recently by Gartner say their organizations quantify the value of their information assets as precisely as if they were on a balance sheet.
One-third say they measure the benefits that each type of information generates, and nearly one-quarter say their information assets are well cataloged and defined. But, Laney says, that's "an acute disconnect from reality."
He estimates that less than 5 percent of organizations calculate the value of their data, measure its benefits, or properly inventory their information, based on client interviews and his ongoing research. But the valuation itself may not be as important as tracking how it changes over time, Laney says. You want to keep increasing the value of your data, so you must know how much it was worth at the start. Then continuously assess your most important data to see how accurate, fresh, unique, complete and relevant it is, he says, to recalculate the data's value.
If CIOs can't or won't expend the energy, someone else will. Namely, chief data officers and other executives responsible specifically for data strategy. Years ago, a CDO, if you had one, reported to IT. Now they may belong to the COO, CFO or another non-IT leader, says Aditya Kongara, head of enterprise data management at the $6.8 billion American Family Insurance.
Kongara has worked in data management for 13 years, including in senior roles at Capital One and Discover Financial Services. Early in his career, he reported to IT. Now he reports to the chief risk officer.
"I'm not really sure the CIO can be a new-business or revenue generator," he says. "IT is a steward of data--integrates, stores, manages security. But who actually uses the data and can make strategic decisions? The business."
Some data experts say it's possible to be exact when evaluating the value of a piece of data and they get frustrated when others disagree. In many circumstances, data does indeed hold an inherent value. Companies buy and sell demographics, psychographics, records of shoppers' purchases, health reports, online browsing histories--all kinds of data about individuals and groups. For example, $75.95 will get you a list of 4 million email addresses.
The Financial Times offers a handy online calculator to find out what your personal data is worth, if you can stand the insult. (The typical price is fractions of a penny per person. You're worth more--maybe half a buck--if you're moving or expecting a baby and, therefore, about to make big financial decisions.)
One enterprising grad student last year created a Kickstarter campaign to sell data about his online activities for $2 to $200, including the websites he visited, his GPS locations and his cursor movements. Also for sale: tools to analyze it all. "I've data-mined myself," Federico Zannier told potential customers. He ultimately made $2,733.
Individual pieces of corporate data, too, are worth something, according to Bob Schmidt, a data steward at Wells Fargo. Schmidt and colleague Jennifer Fisher applied for a patent in 2011 on a method for calculating that something. Key to the math is first quantifying the quality of the data.
One way they do that is by looking at how often a piece of data is used by employees or customers, assuming that frequent use indicates a vote of confidence. Other variables include accuracy, timeliness and security of the data. Freshly obtained and scrubbed consumer addresses, for example, would be much more valuable than old, undeliverable ones.
Schmidt declined to be interviewed, but the patent application makes clear his irritation with outdated ideas about the significance of corporate data. He talks, for example, about accounting regulations that treat the training of employees in how to use data better as a cost, with no offsetting measure of the value gained from people then working smarter, as bosses so often demand.
Without an established accounting rule for valuing it, data becomes invisible--a zero--in financial documents that are supposed to portray a company's true health. That can't be right. As the patent application notes, "This 'data is free' mentality stymies investment in quality data."
The patent description acknowledges that the Wells Fargo method isn't the only way to value information, but it provides "one or more valuations of data that can be useful for settling on a course of action." In other words, "Hey, at least we're trying."
In February, the bank hired its first chief data officer, reporting to the CIO.
Companies may not be in any rush to report the value of their information publicly. It's a source of power and market differentiation, so why tip off competitors? But pinpointing the value of data has some practical consequences internally. A company can more accurately value itself in a merger or acquisition. IT leaders can also make a better case for spending money on data security and privacy technology and personnel, says Ed Ferrara, an analyst at Forrester Research.
He likes an approach that considers current and future revenue. Broadly speaking, CIOs would chart the IT systems that support each major corporate function, such as sales, marketing, manufacturing or research and development. Then they measure the contribution each system makes to top-line sales or bottom-line profits.
Next, ask questions. Could the company meet sales targets if these two databases were out of commission? "Then you know which information has value in an estimated hierarchy," Ferrara says.
In justifying security spending, CIOs or CISOs would also want to evaluate the probability of particular threats. "If you can do that, you can make decisions on how much you want to spend on [protecting] the asset."
The system isn't as precise as, say, generally accepted accounting principles. But it's more than what many CIOs do now, he says.
Ken Grady, CIO of New England Biolabs, is going through a data valuation exercise to figure out how much and what kind of insurance to buy for the company's information assets. But not everything is worth protecting. For example, PowerPoint presentations from routine meetings, videos from a training seminar and chemical safety sheets are everywhere and easily reproduced, he says. Sorting the mundane from the valuable "requires us to really understand and assess which types of data have a financial value if compromised and which don't."
Zannier, the privacy-eschewing grad student, might have made more money if he had talked friends into joining him in sacrificing their privacy. Marketers could then buy the data to answer questions about twentysomething university students in New York with a penchant for risk. Many data gurus say information has no absolute value; its worth materializes only when it can be used to make a decision, then it goes away.
"The value of data has to do with imagined impacts," says Doug Hubbard, founder of Hubbard Decision Research, a consultancy that focuses on applied information economics. Those impacts can be either positive or negative. Movie rights, for example, can be licensed and generate revenue for years. A weakly protected customer list, on the other hand, can be stolen, forcing a company to pay millions in fines and court settlements.
Rather than trying to gauge the value of information alone, a CIO should consider which decisions would be made differently if the value were known, Hubbard says. Look at the potential costs and benefits of making one choice instead of another. That is, analyze the situation, not the data.
"You're making decisions with consequences. Those are more significant than any one bit of data," he says. If there are no consequences to a decision, the data is worth nothing. "The data is useful in that it helps eliminate uncertainty."
Unlike your wedding ring or your Rembrandt, data can be stolen but still remain in your possession. Thieves who take copies immediately diminish -- maybe destroy -- the value of your original.
Insurance companies offer cybersecurity policies to reimburse expenses related to breaches and theft, but the value of the data isn't the central issue, says Reynold Siemens, an attorney at the law firm Pillsbury Winthrop Shaw Pittman. He represents policyholders trying to extract payments from insurers.
Rather than value the data at the center of the situation, the two sides quantify the costs of the incident, such as customer notifications, technology to stop or prevent a future breach, fines and judgments, he says. In some cases, the CIO may be questioned about costs to investigate the incident, determine the extent of it or reconstruct data that's been damaged by criminals.
Policies and premiums are determined based on assessments like these, for which the two sides can estimate a dollar value. But the data itself isn't insured, Siemens says, though it is possible to buy insurance to cover the cost of reconstructing or repairing damaged data.
At the $73 billion retailer Target, last year's theft of the personal data of up to 110 million customers caused expensive problems (not to mention cost the CIO and CEO their jobs). In the first three months after the breach, Target spent $61 million on card reissues, fraud-detection systems, legal fees and other expenses. The store also plans to spend $100 million to install systems to support smart-chip credit and debit cards, which protect data associated with them better than point-of-sale systems alone.
The breach's trickle-down effects include lost sales during the important holiday shopping season. CFO John Mulligan told Wall Street analysts he can't yet measure its full impact, but he described the situation as "meaningfully negative."
So far, Target has received an insurance payout of just $44 million.
Consequences of a breach are difficult to plan for, says Grady, the New England Biolabs CIO. "Trying to anticipate the scale and scope of data compromise can run a very large range, from an email sent to the wrong place unintentionally to a Target-level compromise," he says. Such unknowns make valuing data difficult, he says.
Siemens, who isn't involved in the Target case, says clients sometimes ask if they can buy insurance to protect some discrete piece of data or intellectual property. "The answer, generally, is 'no' because there's no real way to put a value on that," he says. "The process is so esoteric and speculative that the insurance industry is not willing to underwrite it."
Like a Beef By-Product
As technologies such as mobile apps, sensors and analytics come together to produce mountains of data, CIOs have the opportunity to lead discussions about how the information can be packaged as new products and services.
Making the business case in those conversations is different from justifying the cost of a new ERP system, says Barbara Wixom, a principal research scientist at MIT's Center for Information Systems Research. She is studying how companies monetize data in a digital economy.
Selling data or new products based on data "is a lot different from using it internally," Wixom says. CIOs have to think about valuation and pricing but also about packaging, customer service and a sales strategy. "All require investment and a vendor mentality," she says.
People should stop thinking of data as something inherently different from tangible products like soap or cars, says Forrester's Ferrara. Data is a by-product created and shed during a company's normal operations.
"This is no different from a company that processes beef to put steaks in the supermarket. They find the by-product of that process can be used for animal feed," he says.
For example, data from sensors built into refrigerators to improve the manufacturing process might also be sold to repair companies that want to target customers as their fridge's cooling coil or ice maker is about to go, he says. Innovation teams that include the CIO or other IT leaders can "take raw information and turn it into a product."
Hubbard contends that the CIO should have data scientists, even a chief data officer, on the technology team to supply quick, thorough data to support burgeoning information products. "You need the equivalent of an actuary in IT."
Kongara at American Family Insurance characterizes data as being "manufactured" and says some products are more valuable than others. Part of his job is to support efforts to create new revenue streams with various business units.
At the same time, his data management group works on perpetual problems, such as trying to find the definitive way to predict the lifetime value of a customer. Insurers, retailers and consumer packaged goods companies all chase this metric, combining many pieces of data via proprietary algorithms. The result is always an estimate, sometimes accurate and sometimes not. An incontrovertible number is "the holy grail in insurance companies," Kongara says. "People are searching for it still."
Dollars for Data
Many types of data already have a price--either in the free market or in the underworld
Putting a price tag on information isn't new. A classic example is the ticker data that flows from stock and futures markets. A 1905 Supreme Court ruling (Chicago Board of Trade v. Christie) gave financial exchanges the right to own and sell that proprietary data, a cash cow that can amount to 30 percent of an exchange's revenue, says Robert I. Webb, a professor of finance at the University of Virginia. A real-time feed of New York Stock Exchange stock prices for use by online media outlets, for instance, costs $25,000 per month.
All manner of personal and corporate data is for sale, from legitimate and black-market brokers alike. Quick-and-dirty Web research offers the following shopping list:
- Individual criminal histories: $13.95
- Database of U.S. physicians: $239.99
- DNA test for tracing family history: $99
- 4 million fresh email addresses: $75.95 per week
- Major League Baseball game statistics feed: $1,900 per month
- Consumer mailing list: 2.5 cents per record
While much of that data is inexpensive, the cost of a data breach is not: an average of $145 per record, according to Ponemon Institute. That can really add up if you lose millions of records.
There's a burgeoning underground market for stolen data, including a flood of purloined credit card numbers from the Target security breach that affected up to 110 million consumers. According to blog posts by cybercrime investigator Brian Krebs, the price of payment numbers stolen from Target ranges from $23.62 to $135 per card. He says the prices vary based on factors such as "the issuing bank, the type of card (debit or credit), how soon the card expires, and whether the card bears a special notation that often indicates a higher credit limit, such as a Platinum card."
-- Mitch Betts
Kim Nash is managing editor of CIO Magazine. Follow her on Twitter @knash99.
Read more about leadership/management in CIO's Leadership/Management Drilldown.