The deployment of information and communications technology (ICT) in the public sector, has been exposed to increasing security breaches and cyber-related crimes that have resulted in unauthorised access, theft, fraud and misuse of highly confidential, classified and sensitive public sector data and information (PSDI) assets. The government, as one of the biggest collectors and distributors of PSDI assets, needs to be constantly aware of the risks associated with the collection, classification, storage and dissemination of critical PSDI assets. The lack of sufficient data and information security measures could pose significant security risks that could impact on state security, thus causing national working relationships to be strained, which presents gaps and opportunities for external intruders to capitalise on the mistrust of the government to infiltrate further attacks on critical Information Technology (IT) infrastructure and systems. In order to mitigate and counteract critical and sensitive data and information-related crimes, the government must understand and analyse the importance of data and information security governance (DISG) and how it should be institutionalised through an integrated approach to improve and protect PSDI assets.
The aim of this article is to analyse the institutionalisation of DISG measures government has implemented towards the protection of PSDI assets.
The research setting is in three national government departments, namely the Department of Energy (DoE), the Department of Environmental Affairs (DEA) and the Department of Science and Technology (DST). This study investigates how the strategic combination of data governance (DG) and information security governance (ISG) practices and principles could be implemented and incorporated as one of the various approaches in public sector institutions to improve the DISG management functions of an organisation’s overall data and information systems and processes.
The research approach is qualitative, and the research methodology includes a multiple case study design. Data were collected through semi-structured interviews and was triangulated with literature review. Primary data was analysed using thematic analysis.
The research findings are presented according to the McKinsey 7S model, which served as the analytical framework in the study. The research findings indicate that the institutionalisation of DISG management practices and functions in the South African public sector context are very limited, and there is a dominant focus on IT and IT security. It was also identified that DISG policies, practices, and systems have been found to be lacking in public sector management and governance functions.
The study concludes that there is currently a lack of sufficient DISG policies, management practices and systems, particularly in the national sphere of government.
The changing global environment influenced and driven by the Fourth Industrial Revolution (4IR) through the introduction of new and advanced technological theories, processes, systems and practices requires the government to formulate and implement conducive policies, frameworks, laws, rules and regulations in order for the 4IR to successfully achieve, accommodate and transition South Africa’s efforts towards improved security practices and measures towards its public sector data and information (PSDI) assets. The security landscape of information technology (IT) on both local and international scale is constantly evolving and changes daily. This requires consistent efforts to keep up with best practices to adequately protect PSDI assets and to minimise the risks associated with the theft, misuse, unauthorised access and fraudulent activities associated with cybercrime. The government must therefore implement proactive measures and approaches towards the protection of its PSDI. The purpose of this study is therefore to determine how the institutionalisation of data and information security governance (DISG) management functions and practices in the public sector can effectively and efficiently provide best practices and measures for improved PSDI security. Firstly, this article will provide a brief discussion on the theoretical perspective of the McKinsey 7S Model that is used as an analytical framework in the analysis and presentation of research findings in this article. Secondly, the chosen scientific and methodological approach for this study will be discussed. Thirdly, this article will discuss the research findings according to the McKinsey 7S Model. Lastly, conclusions and recommendations will be provided on how to improve DISG practices within the public sector.
The McKinsey 7S model is an analytical framework used to gain in-depth analysis of organisational functionality and the integration of systems. The model is based on organisational theory, which states that if an organisation is to perform at its optimum best, the seven elements of structure, systems, style, staff, skills, strategy and shared values must be integrated and aligned and mutually reinforced to achieve and maintain organisational synergy. The McKinsey 7S model has gained popularity in the academic and professional fields of study as a strategic planning tool because the model comprehensively illustrates and indicates how the seven elements of structure, systems, style, staff, skills, strategy and shared values are aligned and integrated as a whole to achieve and maintain efficiency and effectiveness in an organisation (De Vlieger
The seven elements of the McKinsey 7S model
The interdependency of these seven areas has been further broken down and categorised as either soft or hard elements of the McKinsey 7S model.
The hard elements or factors of the McKinsey 7S model have been said to be easier to identify and analyse and can be found in the form of documentation. The hard factors include the organisation’s strategy, structure and systems.
An organisation’s strategy consists of a well-developed plan designed by Senior Organisational Management (SOM) for the firm towards achieving a competitive advantage in its respective industry market. According to the McKinsey 7S model, strategy therefore particularly looks at the vision, mission, goals and objectives of an organisation; a sound decision-making channel and structure by management; the feasibility and sustainability of long- and short-term strategic programmes; and projects’ goals and objectives. The key to determining whether an organisation’s strategy is compatible with the McKinsey 7S model requires an analysis of how the organisation’s strategy links, integrates and transitions with the other six areas of the model and if these elements are aligned to the overall production, feasibility and functionality of the organisation (De Vlieger
The word ‘structure’ refers to how an organisation is organised to fulfil and perform its roles, functions and responsibilities. The McKinsey 7S model analyses structure by examining:
the organisational chart and the interconnections between various departmental functional activities;
hierarchical structures from senior, middle and lower levels of management;
the conjunction of decentralised decision-making structures (bottom-up approaches), as well as centralised decision-making structures (top-down approaches);
the combination of pyramidal, matrix or networked structures to collectively achieve and accomplish organisational goals and objectives; and
the lines, channels and structures of communication between the different levels, positions and functions of an organisation’s departments (De Vlieger
Systems in an organisation can be described as those elements that define the functional flow of activities related to the daily operations of an organisation. These often include the organisation’s core functions, support systems, procedures, processes and routines that are integrated to ensure the functionality and management of the organisation. Organisations’ systems can include:
human resources;
financial management systems;
supply chain;
transport;
procurement; and
information and communications technology (ICT) processes (De Vlieger
This section discusses the ‘soft’ factors of the McKinsey 7S model, which are style, staff, skills and shared values. According to the McKinsey 7S model, these factors are considered to be more difficult to identify because the elements are consistently evolving, developing and changing in an organisation’s internal environment. These elements have been found to be influenced and determined by the employees of the organisation and the manner in which their work is performed. It is therefore imperative that organisational management exercises caution when making changes to one or more of the above-mentioned elements as they have a great influence and impact on the hard factors of the McKinsey 7S model (De Vlieger
According to the McKinsey 7S model, style refers to the organisational culture of a firm, and there are two components of an organisation’s style or culture, namely organisational management and management style. Organisational management refers to values, beliefs, norms, opinions and standards that develop and become heavily present, active and practised in an organisation. These elements create unique organisational features, social events and the shaping of values throughout the entire organisational structure. Managers’ management style and the culture of the organisation can be related to the behaviour of senior management and managerial staff in achieving and maintaining an organisation’s goals and objectives, as well as how they interact with subordinate staff (De Vlieger
An organisation’s staff consists of job families that develop over time and that play a significant role in the collective success of an organisation’s overall goals and objectives. The McKinsey 7S model examines factors such as:
how many employees an organisation has;
what the internal recruitment processes and procedures are that must be adhered to;
how employees are encouraged and motivated to perform at their optimum best; and
how employees are recognised and rewarded for their efforts and contributions towards the organisation’s goals and objectives (De Vlieger
The skills of an organisation’s workforce consist of the distinctive competencies that staff at all levels of an organisation can contribute to the organisation that make it distinctively unique from other firms through the offerings of new and untapped knowledge, skills and capabilities that lead to the development, advancement and investment in staff development, skills and leadership skills (De Vlieger
An organisation’s shared values consist of elements that act as an organisation’s conscience and provide senior management, managerial staff and employees with guidance in times of turmoil and crises to handle and overcome internal challenges. Shared values are an organisation’s guided concepts, themes, principles and practices that are considered the foundational building blocks upon which an organisation is firmly built (De Vlieger
The methodological approach determined the data-collection techniques that were used in this study; the chosen methodological approach for this research study was a qualitative research approach. The qualitative research approach was selected for this particular research study because it is primarily concerned with how the social world is interpreted, perceived, understood and experienced by others. Because of the nature and requirements of this research project, the qualitative research method was chosen. According to Aktinson, Coofey and Delamont (
The use of interviews allowed the opportunity to conduct semi-structured interviews with CDs, DGs and DDGs in the DoE, DEA and DST to gain a rich understanding of their views, opinions, roles and responsibilities. These questions were designed to guide the direction of the data collection from senior management officials for the purposes of finding answers to the research question and objectives. The goal of using interviews in qualitative research is therefore to view the research topic from the perspective of the interview participants, and, in the case of this study, to understand their perspective of DISG in their respective departments. Furthermore, the study made use of thematic analysis of interview data. Braun and Clarke (
The interview data for this study were collected through one-on-one interviews with SOM in the DoE, DEA and DST. The participants were identified as skilled, knowledgeable and experienced personnel who specialise in protection of PSDI assets in their respective departments. The interview results and interpretations discussed below do represent a generalisation of the interview data. The interview results and interpretations are derived from the semi-structured interview questionnaire. The following section aims to present the interview results according to the McKinsey 7S model.
All three departments are situated at the national sphere of government and are primarily involved in policymaking and implementation. These departments are therefore required to ensure that there is transparency in the departments and throughout the government holistically. As a result, all data and information assets are subject to numerous internal and external rules, laws and regulations.
In the DEA, the following have been implemented as departmental policies and frameworks for ensuring DISG:
The DST is guided and advised by its legal department to ensure compliance with all current and existing laws and regulations in the public service. The legal department further assesses and evaluates the DST’s compliance and provides feedback and makes the necessary recommendations. The Auditor-General as an external entity also conducts an annual assessment and evaluation of the DST’s compliance with laws and regulations and provides a feedback report with its own findings, conclusions and recommendations for compliance. Furthermore, the DST has implemented the following internal policies:
To ensure that the DoE’s strategic planning processes are adequately implemented throughout the entire organisation, the DoE, through its Executive Committee, has established a Strategic Steering Committee. The Strategic Steering Committee has been tasked with the responsibility of driving the entire strategic agenda and planning processes in the organisation and includes branch representatives from both support and line functionaries. Furthermore, the Strategic Steering Committee has formulated a ‘Strategic Alignment Document’ for ensuring that the DoE’s strategic plans and its annual performance plans are aligned to the Medium-Term Strategic Framework, as well as the National Development Plan (GCIS
The DoE has implemented the following five departmental policies for the protection of its data and information assets:
Each of the three government departments, situated at the national sphere of government, has therefore implemented certain structures for the handling of its data and information assets to ensure that departmental staff have an understanding of their respective roles, responsibilities and functions in the processes of collecting, classifying and storing the government’s PSDI assets. All government departments have their own unique internal processes for the classification of classified or confidential or critical or sensitive data and information assets.
The DEA is situated at the national sphere and has policymaking and implementation roles, responsibilities and functions that are derived from section 24 of the Constitution, which is geared towards the protection of South Africa’s oceans, biodiversity and ecosystems. The purpose of the DEA’s structural context is to ensure that it provides strategic leadership and centralised administrative functions and executive support and efficient corporate services that will facilitate achieving effective governance management practices, theories and functions towards environmental protection. The following departmental structures have been identified in the DEA:
The DST’s national policymaking and implementation functions, roles and responsibilities are derived from the White Paper on Science and Technology of 1996 (RSA
The following departmental structures have been identified in the DST:
The DoE’s national policymaking and implementation functions, roles and responsibilities are derived from the White Paper on Energy Policy of 1998 (RSA
The following departmental structures have been identified in the DoE:
From an IT perspective, it is not the responsibility of the IT department to determine the internal processes of data- and information-classification processes. The only function that the IT department has is to develop and implement the security measures and systems needed for the protection of critical assets as indicated by the Records Management Directorate’s processes. The processes related to the classification of data and information assets are therefore explicitly facilitated by the Records Management Units.
The DEA implemented a number of systems that are utilised to ensure intensive, effective and efficient efforts towards the protection and sustainability of South Africa’s environment and ecosystems. Through the use of advanced and improved DISG infrastructure and resources, the DEA has uniquely designed and implemented information systems that allow the consistent, free flow of data and information assets throughout the department. The DEA has an array of directorates, department divisions and functional responsibilities that require accessible, user-friendly and effective information systems for the delivery of environmental goods and services, as well as for ensuring the operational efficiency and productivity of the DEA. The following were identified as data and information systems that have been developed to aid to the protection of PSDI in the DEA:
The DST has heavily invested in the development and implementation of a number of scientific, technological and innovative data and information systems that are geared towards the provision of highly standardised knowledge and research outputs in the areas of ST&I. The data and information systems that have been established by the DST are targeted at formulating a rich knowledge base that makes use of groundbreaking ST&I research outputs as a tool for assisting the government towards its long-term socioeconomic goals and objectives. The deployment of advanced ICTs has given the DST the opportunity of utilising accessible, user-friendly and effective information systems for the delivery of highly standardised ST&I strategies, programmes and projects. The DST has an array of directorates, department divisions and functional responsibilities that have uniquely designed information systems that are custom made for the needs of freely exchanging data and information assets internally in the DST as well as externally to the country’s citizenry, private sector institutions, supply chain partners, academic and research institutes, international bodies and various other stakeholders.
The following were identified as data and information systems that have been developed to aid the protection of PSDI in the DST:
The DoE is mandated to ensure the provision of secure and sustainable energy supply sources in South Africa to achieve and encourage the collective socioeconomic growth and development of the country. Furthermore, the DoE is also responsible for ensuring that the same provision of energy supply in the country is managed effectively and efficiently to minimise its impact on the environment through the formulation, implementation and maintenance of sustainable and renewable energy supply technologies, policies, principles and practices. The DoE is tasked with the responsibility of ensuring that it collects, refines, stores and distributes information assets to the country’s citizenry data regarding the country’s energy sources and environments that are factual, reliable, timely and freely accessible. The DoE has an array of directorates, department divisions and functional responsibilities that constantly need access to reliable, factual and unbiased data and information assets for the purpose of making sound decisions. As a result, the DoE must develop and implement information systems that can be custom made for the purpose of freely exchanging data and information assets internally and to its stakeholder partners in the energy sector.
The following information system was identified in the DoE:
The ability to improve DISG theories, practices and management functions require intensive approaches to developing and instilling DISG cultures, plans, strategies, goals and objectives in public sector institutions. The following have been identified as the style, staff, skills and shared values of the DEA, DST and DoE:
Section 24 of the Constitution of 1996 empowers the DEA to explore and apply rigorous policies, laws and regulations in pursuit of effective and efficient tools and approaches for the protection and sustainability of South Africa’s natural environment and ecosystems. The DEA’s organisational culture is people centric to promote work–life balance, collegiality, empathy and teamwork. The DEA therefore strives to uphold values of integrity, professionalism, ethical conduct and diversity. The DEA also intends to uphold its culture and shared values by consistently striving towards employing principles and practices that are environmentally conscious and sustainable (DST
The White Paper on Science and Technology of 1996 (RSA
The DoE has the legal mandate to ensure secure, sufficient and sustainable energy sources geared towards socioeconomic growth and development for all those who live within the borders of South Africa. This is driven by the DoE’s dedication and focus towards the formulation, implementation and overseeing of energy policies, regulatory frameworks, energy security measures and the promotion of environmentally friendly energy sources in its respective sector. The service delivery approach of the DoE is guided and driven by its internal value systems, which include the Batho Pele principles and practices towards improved service delivery in the energy sector. The DoE firmly believes in portraying strong ethical principles, honesty and integrity in its respective fields of work and in the communities it operates and engages with. This has led to the delivery of professional, accountable and transparent public service delivery outputs in the energy sector (DoE
Public sector institutions are particularly focussed on the protection of their IT systems and infrastructure and lack effective DISG systems to improve the protection of PSDI. The formulation and implementation of integrated DISG management practices and approaches could assist the government in its efforts to counteract cybercrime, as well as ensuring its sustainable and long-term goals and objectives towards effective cyber security of its PSDI. Data and information security governance management practices and functions in the South African public sector context are very limited, and there is a dominant focus on IT and IT security. The findings also suggest that DISG policies, practices and systems have been found to be lacking in public sector management and governance functions. Data and information security governance is frequently practised in private sector management functions and not particularly in the public sector. In order for the government to improve its efforts towards the institutionalisation of DISG management practices, its public sector institutions must have clearly defined roles, responsibilities and functions. Government departments are often challenged by the bureaucratic systems and processes embedded in public sector administration functions. This unfortunately results in the duplication of functions and unstandardised public sector outputs and the mismanagement of scarce resources. Data and information security governance practices, principles and functions indicate that the protection of an organisation’s critical data and information assets is an interrelated process that cannot be completed in isolation and requires a uniform approach and systematic application. Reinventing the roles, responsibilities and functions of public sector institutions in the protection of their PSDI assets through the institutionalisation of DISG management principles and practices could improve the processes and synergy of data governance (DG), information governance and information security governance (ISG). This will therefore improve the processes, systems and mechanisms related to the collection, classification, storage and transmission of PSDI between the government and its citizenry in creating and maintaining a reliable, factual and unbiased information society. Furthermore, it is recommended that further research be conducted on how DISG policies, practices and systems could be successfully implemented across all three spheres of government as this research article only focussed on the national sphere of government.
This article is partly based on a published master’s dissertation, ‘Data and Information Security Governance in the Departments of Energy, Science and Technology, and Environmental Affairs’, by Lucia Masilela, under the supervision of Prof. Danielle Nel-Sanders, at the University of Johannesburg.
The authors have declared that no competing interests exist.
All authors contributed equally to this work.
This research did not collect or use any sensitive data. It is important to always be honest and give acknowledgment and credit for the work of authors who contributed to a study. According to the Protection of Personal Information (PoPI) Act (No. 4 of 2013), no personal details were used for this study without the acknowledgment and consent of the participants. Informed consent documents were used that uphold the principles of the University of Johannesburg’s Ethics Research Charter to protect the university, the researcher, and the participants of the study, who may be who may be individuals or organisations as a whole.
This research was funded by the National Research Foundation (NRF), under the Thuthuka Grant Scholarship.
The data results and interpretations presented in this article are those that have been collected from a qualitative research study by the student. These data findings are therefore research results from a master’s dissertation that was completed in 2019 at the University of Johannesburg.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of any affiliated agency of the authors.