Willem Koenders is a global leader in data strategy at ZS Associates with 10 years of experience advising leading organizations across all continents on how to leverage data to build and sustain a competitive advantage. He is passionate about data-driven transformations and a strong believer in "data governance by design." His views are his own.
Deliberations about defining your data approach often revolve around an offensive vs defensive data strategy. Here, an offensive strategy is focused on driving positive outcomes through increased revenues and profitability or by providing an enhanced customer experience. The primary objectives of an offensive data strategy are typically tailored to the product or business side of the organization, prioritizing AI and analytics use cases to drive superior commercial or financial outcomes.
On the other hand, a defensive strategy focuses on preventing negative outcomes. Here, the key objectives often stem from legal, accounting, and regulatory considerations. Such a strategy aims to reduce risks by focusing on compliance, governance, and security capabilities.
In their near-seminal article, “What’s Your Data Strategy?,” Leandro DalleMule (Chief Data Officer at AIG) and Thomas H. Davenport (Professor at Babson College and Senior Adviser to Deloitte) outline a framework for companies to decide how to choose between an offensive vs defensive data strategy and how to balance control and flexibility. In DalleMule and Davenport’s work, they describe a data-strategy spectrum, which illustrates how different industries play out their defensive and offensive strategies.
The main implication is clear: you cannot have it both ways.
One must choose between an offensive vs defensive data strategy. DalleMule and Davenport emphasize this by pointing out that “defense and offense often require differing approaches from IT and the data-management organization” and that “determining an organization’s current and desired positions on the spectrum will force executives to make trade-offs between offensive and defensive investments.”
I am afraid I have to disagree—at least to some extent. Although you cannot be fully offensive and fully defensive simultaneously, you can enable offensive and defensive objectives through several foundational approaches involving an intelligent use of technology that enables data products through a data mesh architecture.
A Different Perspective: Sports Analogy
Before diving into those capabilities, let’s use a sports analogy. We can use a variety of examples, but let me take soccer (or football, sorry!).
As a soccer coach, you have limited time to practice, limited resources to attract players, and a limited number of players you can field for every match. If you include an extra defender in the lineup, it will come at the expense of a more offensively-minded player. If your game plan is to apply pressure high up the field to recover the ball as quickly as possible, you cannot at the same time hang back to rely on your defense.
Yet there are many elements to a soccer strategy that enable you to achieve both offensive and defensive objectives. Ensuring the team has the right, dependable, high-quality equipment (e.g., cleats) will help defenders and attackers alike. Both offense and defense would be supported by a fitness regime that drives expanded stamina, team-building efforts that ensure that individuals act as a tight-knit team, and actionable insights from health analytics and opponent intelligence.
Even from an actual game strategy perspective, you can configure the team in such a way that the team players can be defensive- or offensive-minded depending on what the game asks for (i.e., attackers with defensive duties and defenders with attacking roles). The team can be trained to be able to switch rapidly from attack to defense and vice versa (also dubbed “counterattack”).
Driving Both Offensive and Defensive Data Objectives
What applies to soccer is equally applicable to your data organization. However, a trade-off between an offensive or defensive strategy does emerge when resources are scarce. For example, when you have a limited budget or when you only have space to add 1 additional person to the team, a question might arise: Should I add a data quality specialist or a data scientist?
More generally, data management is not a goal; it can only derive value relative to the organization’s overall strategy and objectives.
For example, if an enterprise’s competitive advantage relies on being a product leader, this means that offensive capabilities such as experimentation and innovation are critical. If strategic objectives have more to do with regulatory compliance and preserving reputation, the focus could logically be put more on typically labeled defensive work such as data governance, data lineage, and general data ownership and quality. In such scenarios, a tradeoff again emerges, where investments in offensive or defensive capabilities can have a higher return.
The below figure illustrates this concept, where some data capabilities are offensive, and others are defensive. With limited resources or clearly defined business objectives, the choice between offensive vs defensive data strategies is very obvious. But there are some foundational capabilities that I do not believe are necessarily offensive or defensive. In fact, whether you want to build offensive or defensive capabilities, it just doesn’t matter—you will still need these foundational capabilities anyway.
Allow me to explain using one example.
A data quality capability is required to ensure that data scientists aren’t spending too much time resolving data issues and to ensure compliance with KYC or ESG regulations. A data catalog, or more generally a capability to understand and visualize the enterprise’s data and systems landscape, is critical both for product developers and data scientists to find and consume the data they need and to be able to build data lineage and evidence data integrity.
Metadata management is perhaps the clearest example, as I personally see it as the cornerstone of data management. Without metadata, you cannot manage data – offensively, you can’t democratize or monetize it, or you can’t reliably feed it into customer insight-driven use cases; defensively, you can’t identify and classify critical or sensitive data, map data lineage between applications, or prove that you have implemented data security controls across the data landscape.
The Pivotal Role of Data Architecture in Defining an Offensive vs Defensive Data Strategy
It is really the data architecture that needs to be emphasized the most.
In their article, DalleMule and Davenport spend a lot of time and effort outlining the concept of a single source of truth (SSOT) and multiple versions of the truth (MVOTs) and how defensively oriented companies will favor SSOT and offensive ones MVOTs.
The argument goes that SSOTs allow for tight quality and governance controls and, therefore, stability, reliability, and decreased risks, whereas MVOTs “result from the business-specific transformation of data into information” that provide flexibility and drive value for specific business consumers. They conclude that the “CDO must determine the right trade-offs while dynamically adjusting the balance by leveraging the SSOT and MVOTs architectures.”
It appears that this conclusion overlooks the growing body of knowledge surrounding data meshes and data products. As I had previously written, data products specifically emphasize formal, fit-for-purpose quality controls so that a multitude of downstream consumers can use them for their respective use cases.
In fact, it is specifically the defensive-oriented components of data products, such as an accurate and transparent description of the data, its provenance, and quality considerations, that enable offensive-minded consumers to find, trust, and indeed use it.
Data mesh then enables local or domain-based teams to govern the data that they know the best while facilitating access to the rest of the enterprise through a set of interoperability standards. It’s quite literally a defense-enabling offense.
I’ve personally studied (and helped write) data strategies of 50+ leading global companies across banking, insurance, CPG, and retail. Although the tide is changing, it is remarkable that almost none of them call out data architecture as a central, enabling theme.
It is not a zero-sum game—you no longer need to choose between an offensive vs defensive data strategy; that is to say defense doesn’t have to come at the cost of offense or vice versa. An intelligent data architecture can embed foundational data capabilities “by design” into the enterprise infrastructure, which will enable a formidable offensive and defense at the same time. It’s almost as if you’d have some extra players on your soccer team.