Assessing Your Company’s Data Literacy Starts By Asking These Three Questions

Merav Yuravlivker is the co-founder and chief executive officer of Data Society.

As leaders continue to realize the importance of data analytics for their bottom line, they are likely recognizing that they need to also assess their team’s current level of data literacy. I previously wrote about three steps leaders can take to create a culture of data sharing, including establishing a solid data infrastructure, championing data literacy and instilling long-term, data-driven thinking.

However, taking a step back, before attempting to develop a data-sharing culture, it’s critical to first assess where an organization and its employees fall in terms of data literacy. This way, leaders can identify where needs lie and act in accordance with current skills levels at their company. I’ve worked with multiple organizations where they discovered a divide between their aspirational levels of data literacy for their team members and their realization of current levels of understanding.   

And we know the results can be substantial for companies that successfully implement a data-forward culture. A recent survey from Gartner confirmed that embracing a culture of data sharing can lead to a three-time increase in economic growth for your company.

There are many factors to be considered that contribute to an organization’s baseline level of data literacy. In order to accurately assess your company’s baseline, start by asking these three important questions.

How data-driven is your company?

The first question to ask relates to existing decision making at an organization. Think about how your executive team is currently making decisions — how are they already leveraging data in the decisions they are making on a daily, monthly and annual basis? What other decisions are recurring regularly, but not incorporating data? Beyond the C-suite, are executives communicating the importance of using data to drive decisions across their departments?

Importantly, when leaders understand how data science can be applied to their specific role and industry, they can support the process of promoting data literacy among their teams. Most likely, there are areas where their decision making can be strengthened by rudimentary predictive analyses. Identifying where these areas of growth exist across departments and incorporating them into everyday decisions can help to build a cohesive data strategy throughout all levels of an organization.

What data tools will help you meet your objectives, and do you have staff who can support these tools?

An important part of understanding an organization’s data literacy baseline is assessing what tools teams have access to that could help them fully harness the potential of their data points. If team members have data at their disposal but are still relying on analysis through spreadsheets, they may be spending more time on building formulas and manually sorting through rows and rows of data. In my experience, this level of spending is not realized in many organizations due to a lack of appropriate exams to judge skills levels and develop a pathway that will lead a learner from nascent to proficient. According to IDC, spending on tools and solutions has increased to $215.7 million, over 10% in the last year alone. Creating ROI from this level of investment requires expertise and tried and true methods of reskilling professionals.

Make sure to assess whether you have access to the right tools needed to achieve your desired outcomes from using data, as well as how employees are currently leveraging the tools. From the exam, it’s important to ensure that team members feel knowledgeable, comfortable and confident about how, why and when they should be implementing a certain data tool or methodology. This can help to ensure you’re investing in the right tools that close skills gaps among employees and to help meet your organization’s objectives.

How are you defining success?

At the outset of the process to determine your baseline, be clear about the measurable goals and objectives you are trying to reach in your organization and how data can play a role in accomplishing these. Articulate what you are trying to accomplish and the different metrics you will use to determine success. What specific skills and processes are you looking to implement among your staff, and in what time period?

With measurable goals set, you will have a way of quantifying whether your efforts to increase data literacy are working.

Overall, organizations must establish a baseline of their data literacy levels before embarking on a journey to establish a culture of data sharing among their teams. Determining your organization’s baseline of data literacy illuminates where and why resources and effort need to be targeted.

And don’t be discouraged if your organization’s baseline reveals a lower level of data literacy than you had initially thought or hoped. Understand that elevating your company’s baseline from where it currently stands is a continuous effort contingent on leadership’s examples and routine training. It’s not an overnight process, but building a strong data culture at your organization is likely to pay off.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? 

Senators Question KPMG Role in Microsoft Profit-Shifting Scheme

Wiz CTO: Microsoft Cloud Breach Findings Raise ‘Many More Questions’

With Microsoft revealing that the timeline for the incident may stretch back to early 2021, there are now big questions about what the company’s evidence shows — or does not show — about what the China-linked threat actor was able to do during that time, Wiz’s Ami Luttwak tells CRN.

The latest findings from Microsoft about the high-profile cloud breach that impacted U.S. government email accounts raise “many more questions” that need to be addressed by the company about the potential activities of a China-linked hacking group blamed for the attack, Wiz CTO Ami Luttwak told CRN.

In particular, the new findings from Microsoft do not make clear what evidence the company truly has — or does not have — about the potential impacts of the attack, Luttwak said in an interview Wednesday.

[Related: Microsoft Cloud Breach: 5 Key Findings From Wiz]

The breach, which reportedly affected federal agencies including the State Department and Commerce Department, has drawn significant attention across industry and government. In late July, U.S. Sen. Ron Wyden requested a federal investigation to determine “whether lax security practices by Microsoft” led to the hack.

In a blog post Wednesday, Microsoft disclosed additional details from its investigation about what may have led to the breach. Without a doubt, it’s a “great step” that Microsoft has shared the findings, Luttwak told CRN.

“That’s very important in terms of transparency,” he said. For the most part, however, “It’s not conclusive evidence,” Luttwak said.

One new detail revealed by Microsoft in the post Wednesday is that the timeline for the incident most likely stretches back to April 2021 — more than two years earlier than previously believed.

Given that Microsoft had initially believed the incident began on May 15, the new timeline “raises a ton more questions” about whether the threat actor’s activities may have involved more than compromising the email accounts of 25 organizations, as Microsoft previously thought, according to Luttwak.

Additionally, Microsoft disclosed in the blog that it does not actually have logs going back to April 2021, due to its log retention policies — which suggests that the company itself may not know one way or the other what the full scope of the attacker’s activities were, Luttwak said.

“There is a huge difference from saying, ‘The attack started in May 2023 and only affected 20 email boxes,’ to saying, ‘[Our system] was actually compromised two years ago and we don’t know what happened since then,’” he said.

During the attack, an Azure Active Directory key stolen by the threat actor was misused to forge authentication tokens and access emails via Outlook Web Access and Outlook.com, Microsoft said previously.

However, the potential scope of the incident is not restricted only to Microsoft cloud email accounts, Luttwak noted. Wiz researchers disclosed in late July that the stolen Azure Active Directory key could be used to gain access to numerous other Microsoft services — including SharePoint, Teams and OneDrive — as well as third-party applications.

With the Azure AD key, “you can basically impersonate anyone on any service,” Luttwak told CRN. With the longer incident timeline and apparent lack of log evidence, “can we say clearly that this [key] wasn’t used in the last two years?”

Among the major unanswered questions at this stage, according to Luttwak: “What could have been the potential compromise? How many emails could have been read, or other services [accessed]?”

And ultimately, “are there definitive logs — actual proof — that this key was not used [in other ways] by the threat actor?” he said.

“This is a very advanced attacker. They were able to compromise the network, they were able to find a secret [key] that Microsoft was unable to find,” Luttwak said. “And so I assume this advanced attacker knows what they’re doing — and if they got access to [additional services], they would use it.”

Wiz, a $10 billion cloud security firm that Luttwak co-founded in 2020, has previously discovered numerous security issues impacting Microsoft cloud platforms including Azure.

Microsoft has attributed the breach to a hacking group believed to have been working on behalf of the Chinese government, which the company tracks under the identifier “Storm-0558.”

In response to a CRN inquiry asking about Luttwak’s comments, Microsoft said in a statement Wednesday that its investigations “have not detected any other use of this pattern by other actors and Microsoft has taken steps to block related abuse.”

The breach was discovered after a U.S. federal civilian agency “identified suspicious activity in their Microsoft 365 (M365) cloud environment,” and reported it to Microsoft, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in a post in July.

According to CISA, the data stolen in the attack was not classified, and the number of impacted accounts was minimal. “Microsoft determined that APT actors accessed and exfiltrated unclassified Exchange Online Outlook data from a small number of accounts,” CISA said in its post at the time.

In its blog Wednesday, Microsoft also disclosed that a flaw caused the Azure Active Directory key used in the compromise to be improperly captured, and stored in a file, following a Windows system crash in April 2021. Another flaw led to the presence of the key not being detected, Microsoft said.

The file containing the key was then “subsequently moved from the isolated production network into our debugging environment on the internet connected corporate network,” the company said.

After that, the threat actor was able to access the file containing the key through compromising a corporate account belonging to a Microsoft engineer, according to the company.

“This account had access to the debugging environment containing the crash [file] which incorrectly contained the key,” Microsoft said in the post.

The attacker’s access to debugging environment raises further questions about the potential impacts of the incident, Luttwak told CRN.

“Can we know that this was limited only to the debugging environment?” he said. “The Microsoft network is very big.”

In its statement provided to CRN Wednesday, Microsoft said that “we have no indication to believe that Storm-0558 has continued access to any of Microsoft’s networks or environments.”