Preface

This research document is part of a series created for the Greenleaf Group to highlight the importance of data and its use across financial services organizations. See the About Greenleaf section below. This report focuses on data monetization and its role in driving profitability in the banking industry.

Introduction

This is the fifth installment in my series on data management, valuation, and value creation. In the first four installments, I focused on Life Science companies.[2-5] Now, I turn my attention to the financial services industry. I have been fortunate to work in both sectors and have gained insights that apply across these fields. Financial services, like life sciences, have become heavily reliant on data; data is now a vital part of the industry, driving everything from risk modeling and fraud detection to payments innovation and highly personalized customer experiences. However, as data volumes increase—and regulatory expectations rise—so do the challenges of managing, protecting, and deriving value from data.

I’ve worked with property and casualty insurers, employee benefits carriers, and international commercial banks. Across these organizations, the real opportunity isn’t just collecting more data but transforming it from an operational byproduct into a strategic asset that manages risk, drives competitive advantage, and supports long-term growth. This challenge mirrors what’s seen in the life sciences industry, though from a different perspective.

Commercial Banks

Commercial banks make money in eight basic ways [6]:

1. Net interest income on Loans - essentially paying less for the funds they loan to customers, and what the customer pays in interest.[7]

For example:

• The bank pays the depositor 1% interest on money deposited as savings

• The bank lends the money out at 6%

• The bank earns 5% on the difference, called net interest margin (NIM

2. Fees for Services – Banks charge fees for a variety of services. Bank fees are a significant source of revenue for financial institutions and can vary by service, making it essential for consumers to understand and monitor these charges. Fees vary by service and can add up quickly, especially for consumers. [8] These include:

• Checking and account maintenance

• ATM usage

• Wire transfers

• Overdraft Fees

• Mortgage origination

• Loan servicing

• Wealth and asset management

• Safe deposit boxes

• Merchant services (card processing for businesses)

3. Credit Card Revenue – Credit cards generate three types of income. Consider American Express. Although not technically a commercial bank, the company operates as a credit card issuer, and its business model is emulated by commercial banks. American Express earns most of its revenue from discounting merchant transactions. The company also generates income from cardholders through interest, annual fees, and conversion fees. American Express’s spend-centric model incentivizes card usage with special offers and rewards. Despite higher merchant fees, many businesses accept Amex to reach affluent cardholders. American Express continues to expand its premium consumer base and strengthen its global network. [9]

4. Investment Income – Banks invest money in:

• Government and corporate bonds

• Securities (Common stock and bonds)

• Money markets

• Other banks’ loan and investment portfolios

Morgan Stanley, for example, is one of the largest commercial banks in the world. Institutional securities, wealth management, and investment management drive Morgan Financials. Institutional securities are a significant revenue source, with services such as investment banking and financial advice. Wealth management generates stable revenue through services such as brokerage, lending, and retirement planning. Investment management focuses on asset management for institutional clients and contributes a smaller share of revenue. [10]

Banks also operate trading desks (in market-making, derivatives, and foreign exchange) – potentially very profitable but also high-risk. The 2008 financial crisis was mainly due to the widespread use of credit default swaps, a form of financial derivative. [11]

5. Wealth Management & Advisory Services – for high-net-worth customers. These services include:

• Financial Planning

• Investment management

• Private banking

• Trust services

• Merger and acquisition advisory services (large banks) [10]

6. Loans and credit products – for both consumers and businesses, earning interest and fees on all these products. These include:

• Home and Commercial Mortgages

• Personal loans

• Auto loans

• Small business loans

• Corporate lending

• Lines of credi

• Student loans

7) Treasury & cash management services - for businesses, providing recurring revenue. These include:

• Payroll processing

• Fraud protection

• Cash concentration

• Account reconciliation

• Lockbox services

• Short-term liquidity solutions

8) Foreign Exchange (FX) and International Banking - the foreign exchange market sets the exchange rate for many global currencies. Banks profit in FX by:

• Charging for foreign exchange conversion fees

• Selling currency at a markup (arbitrage)

• Facilitating international payments

• Offering hedging financial instruments (for corporations) [12]

As this list illustrates, the range of products offered by commercial banks is diverse and complex. In the era of Bitcoin and artificial intelligence, financial services organizations face new challenges, requiring me to focus intensely on executive-level cybersecurity strategies. Instead of focusing solely on network configurations or endpoint security, I highlighted organizational structure, risk management, and the reasons behind protecting information. Financial institutions—more than any other industry—depend heavily on data integrity and customer trust as key assets. Understanding the economics of cyber risk is essential: what are the financial consequences of inadequate information protection? What tangible value do secure data assets provide? [13]

As in the life sciences, the answer becomes clear when examining the modern balance sheet. For most global companies—including banks and FinTechs—the primary asset class is intangible assets. Under IFRS, intangible assets are “non-monetary assets without physical substance,” yet they hold future economic value and are often the most strategically important assets in financial services.

In banking and FinTech, intangible assets include customer data, proprietary algorithms, risk models, transaction data, fraud analytics, and AI-driven intellectual property. Although these assets are unseen, they are often more valuable than physical infrastructure. They support competitive advantage and regulatory compliance while enhancing the customer experience.

The World Intellectual Property Organization estimates that the global value of intangible assets now exceeds USD 80 trillion. Technology, payments, and financial platforms make up a large part of the world leaders in this category.

Conclusion

For the financial services industry, data is a significant driver of economic value in today’s financial ecosystem. Institutions that excel at creating data value—through analytics, governance, monetization, and AI—will determine the winners in banking, payments, and FinTech over the coming decade.

Financial services firms are exploring new data-driven frontiers across many areas. Below, I focus on two that are changing most rapidly. Additional aspects will be discussed in future posts.

While I highlighted revenue and profitability in banks, nearly every function in financial services is undergoing data-driven reinvention:

1. Algorithmic trading and quantitative strategies

2. Customer Insights, market Intelligence, and personalization

3. Customer onboarding and digital identity

4. Environmental, social, and governance (ESG) – sustainability scoring

5. Financial product pricing models

6. Operational efficiency modeling

7. Payments and settlement optimization

8. Regulatory reporting automation

9. Risk, Fraud, and Compliance Analytics

10. Treasury and liquidity analytics

These topics will be the focus of future articles.

How Green Leaf Consulting Group Assists Financial Institutions

Green Leaf Consulting Group brings hands-on experience helping financial organizations harness the value of data across risk, customer analytics, digital transformation, and strategic decision making.

Looking Ahead

In this series, I will explore additional dimensions of financial data strategy, including:

· Direct and indirect monetization of financial data

· ROI of modern data capabilities

· business value creation through data-driven optimization

· The transformative force of AI

Mastering data assets will define the winners and losers in the evolving financial services ecosystem.

References

1. Services, E.L., Financial Services Graphic. 2024, Elevate Legal Services: https://elawfirm.org/blog/understanding-the-electronic-funds-transfer-act-efta-what-you-need-to-know/.

2. Ferrara, E., Data in the Evolving world of Life Sciences - Part 1, in Greenleaf Insights, M. Miner, Editor. 2025, Greenleaf Group: Ambler, PA, USA.

3. Ferrara, E., Data in the Evolving World of Life Sciences - Part 2: Change and Measurement, in Greenleaf Insights, M. Miner, Editor. 2025, Greenleaf Group: Ambler, PA, USA.

4. Ferrara, E., Data in the evolving world of Life Sciences - Part 3: Compliance, Regulation, and National Security, in Greenleaf, M. Miner, Editor. 2025, Greenleaf Group: Ambler, PA, USA.

5. Ferrara, E., Data in the evolving world of Life Sciences - Part 4: Chaos to Order, in Greenleaf Insights, M. Miner, Editor. 2025, Greenleaf Group: Ambler, PA, USA.

6. Board, F.R., Federal Reserve Board Large Commercial Banks: September 30, 2025. 2025, Federal Reserve Board New York, NY, USA.

7. Mahajan, O., Net Interest Margin - Overview, Components, and Examples, in Wall Street Oasis, W. El Maouch, Editor. 2025, Wall Street Oasis.

8. Kenton, W., Comprehensive Guide to Bank Fees_ Types, Definitions, and How to Avoid Them.pdf>, in Investopedia, C. Potters, Editor. 2025, Investopedia: Investopedia.com.

9. Reiff, N., How American Express Profit: Fees, Interest, and Merchant Revenue, in Investopedia, E. Estevez and M. Rosenston, Editors. 2025, Investopedia: https://www.investopedia.com

10. Jonas, D., Morgan Stanley’s Revenue Streams: Institutional, Wealth, & Investment Management, in Investopedia, T.J. Catalano, Editor. 2025, Investopedia:

https://www.investopedia.com.

11. Liu, J., Credit Default Swap (CDS) - A Major Player in the 2008 Financial Crisis, in Wall Street Oasis, I. Lin, Editor. 2025, Wall Street Oasis: wallstreetoasis.com.

12. Cusimano, J., What Is the Foreign Exchange Market? How It Works & Examples, in Forex Resources. 2024, Satrys: https://statrys.com

13. Institute, C.F. Intangible Assets. 2025; Available from: https://corporatefinanceinstitute.com/resources/accounting/intangible-assets/.

Preface

This article is part of a series created for the Greenleaf Group to highlight the complexity of data and its use across organizations of various sizes and industries. See the About Greenleaf section below. This research report focuses on technology providers who claim to revolutionize data analytics with Artificial Intelligence.

Key Insights

• AI is shifting analytics from reporting to real-time decision infrastructure. Organizations are moving beyond descriptive insights toward automated, adaptive systems that directly influence operational outcomes and strategic execution.

• Automation is materially improving productivity and speeding insight. AI-driven automation of data preparation, modeling, and experimentation is reducing development cycles and enabling faster deployment of analytics capabilities.

• Competitive advantages will shift toward organizations that operationalize and automate analytics. Firms that embed AI into core processes — such as risk management, customer engagement, and supply chain optimization — will outperform those that treat analytics as a standalone reporting function.

• Enterprise data platforms are evolving into AI platforms. Integrated environments that unify data management, machine learning pipelines, and generative AI capabilities are simplifying architecture and accelerating innovation.

• Governance and model risk management are now board-level concerns. As AI systems influence financial, operational, and customer decisions, oversight of transparency, bias, explainability, and regulatory compliance becomes critical.

Introduction

This paper

Artificial Intelligence (AI) is revolutionizing data science and analytics by fundamentally improving what practitioners can accomplish and, in some cases, shifting the role of the data scientist.

Automation of routine tasks is probably the most immediate impact. Tasks like data cleaning, feature engineering, and model selection — which used to take up most of a data scientist’s time — can now be largely automated through automated machine learning (AutoML) and AI-assisted pipelines. This allows more time for higher-level problem framing and interpretation.

Natural Language Querying (NLQ) makes analytics more accessible. For example, tools like text-to-SQL and AI-powered BI platforms enable business users to query data in plain English, reducing the workload for technical staff. Someone without SQL skills can now ask, “What were our top-performing regions last quarter?” and receive a meaningful and detailed answer. Technologies such as Snowflake and Databricks offer multidimensional data analysis.

Speed

Faster and more efficient modeling is another breakthrough. Foundation models and transfer learning mean teams no longer need large, labeled datasets to build useful predictive models. LLMs also help in writing analysis code, creating documentation, and clarifying model outputs in simple language — thereby speeding up workflows.

Anomaly Detection

Anomaly detection and real-time analytics have improved significantly. AI systems can now monitor complex data streams and identify issues much faster than traditional threshold-based alerts, which is crucial for fraud detection, operations monitoring, and infrastructure management.

AI Has Challenges

AI presents new challenges: data quality and governance matter more than ever (garbage in, garbage out — now at scale), model interpretability is a growing concern, and there is an ongoing debate over bias and fairness in automated decision-making.

The Data Scientist

The role of the data scientist is evolving from someone who constructs models to someone who supervises, interprets, and manages AI systems — becoming more strategic and less purely technical. Some basic analysis tasks are being consolidated, while demand grows for people who can link AI capabilities with business judgment. For those involved in technology strategy and enterprise architecture, the main change is that AI is transforming analytics from just a tool for analysts into an essential operational capability integrated into business processes.

Data Science Lifecycle

The Data Science Lifecycle is a structured framework that describes the repetitive process data scientists follow to extract value and insights from data. While variations exist across organizations and frameworks, the most widely used are CRISP-DM and TDSP. [1,2]

CRISP-DM

The Cross-Industry Standard Process for Data Mining (CRISP-DM) is one of the oldest and most widely used frameworks for data science and data mining life-cycles. It was originally created in the late 1990s by a group of companies, including IBM, Daimler, and SPSS. [2]

The lifecycle is iterative rather than linear — findings at any stage often send the team back to an earlier one. Artificial Intelligence is significantly automating many of the technical tasks traditionally performed by data scientists.

TDSP

Team Data Science Process (TDSP) is a modern, agile framework created by Microsoft for collaborative, team-based data science projects in enterprise settings. Combining aspects of Scrum and CRISP-DM yields a process like Microsoft’s Team Data Science Process. Introduced in 2016, TDSP is described as “an agile, iterative data science methodology to deliver predictive analytics solutions and intelligent applications efficiently.” The approach is more streamlined, using five phases instead of eight compared to CRISP-DM. [3]

Figure 1 — Team Data Science Lifecycle

Automated Machine Learning Engineering Tools

New technology provides automated feature engineering capabilities:

• Automated model selection and hyperparameter tuning

• AI-assisted coding through systems such as GitHub Copilot

• Rapid experimentation with hundreds of candidate models

These tools:

• Reduce the time needed to develop models

• Lower the barrier to entry for non-specialists

• Allow data scientists to focus increasingly on problem framing, data quality, and governance rather than on algorithm construction

Predictive Analytics to Generative and Cognitive Analytics

AI advances new analytic paradigms and opportunities. Traditional analytics focused on predicting outcomes. AI now enables generative and reasoning capabilities.

Large language models like ChatGPT and Claude enable analysts to communicate and work in natural language rather than SQL or Python. This capability enables business users to more effectively engage with the data analysis process and actively engage in problem-solving.

Natural Language Interfaces to Data

AI is making it significantly easier for people of various skill levels to access data science and analytical systems. These tools provide:

• Text-to-SQL query generation

• Conversational data exploration

• Automated report generation

• AI-generated dashboards and narratives

Platforms such as Tableau and Microsoft Power BI now embed natural language query engines. Snowflake and Databricks, discussed in more detail below, also provide charts and graphs using Natural Language Querying (NLQ).

Analytics is shifting from specialist-led workflows to organization-wide decision platforms.

Synthetic Data and Data Augmentation

AI can generate synthetic datasets to address limitations in real-world data. Synthetic data is especially important in regulated industries like financial services and healthcare, where access to real-world data is restricted. Synthetic data enables high-quality analysis results for:

• Privacy-preserving data sharing

• Rare event modeling

• Medical research datasets

• Fraud detection training data

(See previous articles on data in the Life Sciences and Financial Services industries.)

AI-driven Data Engineering

AI is increasingly used in data preparation and pipeline management, which has historically accounted for 30% to 75% of data science efforts.

Examples include:

• Automated Schema Mapping

• Data Quality Anomaly Detection

• Intelligent Data Cataloging

Figure 2 — Most Time Consuming Tasks [7]

AI Governance

For enterprise organizations, the rapid progress of AI is leading to a new field: AI governance architecture. At the heart of this change is the growing role of the data scientist, whose tasks are expanding beyond their traditional focus on statistical modeling, algorithm selection, and data cleaning.

Today’s data scientists are increasingly asked to tackle higher-level challenges — defining the right problems, applying deep domain expertise, and designing decision systems that combine human judgment with machine intelligence. Importantly, they are also taking on the role of stewards of model governance, ensuring that AI systems remain transparent, accountable, and aligned with organizational values.

This shift reflects a broader understanding that creating effective AI isn’t just a technical effort, but a sociotechnical one — requiring data scientists to work at the crossroads of technology, ethics, and business strategy.

Convergence of AI, Data Platforms, and Analytics

The rapid advancement of artificial intelligence is leading to a merging of data platforms, machine learning infrastructure, and analytics systems. Traditionally, organizations kept separate platforms for data warehousing, machine learning experiments, and operational analytics. Today’s AI platforms combine these layers into unified environments that support the entire data-to-decision process.

Two of the most influential platforms shaping this architecture are Snowflake and Databricks. Both platforms offer integrated environments that combine large-scale data storage, distributed computing, machine learning pipelines, and increasingly, generative AI capabilities.

Table Notes

[1] A neural network is a computational model composed of layers of interconnected nodes (neurons) that transform input data through weighted mathematical operations to learn complex relationships and make predictions.

[2] Transformer architecture is a neural network design used in modern artificial intelligence systems, especially large language models (LLMs) — that enables machines to understand relationships between words, sequences, or data elements using a mechanism called attention.

Table Notes

[1] Apache Spark™ is an open-source unified analytics engine for distributed data processing that supports batch processing, streaming, machine learning, and SQL-based analytics at scale.

[2] Delta Lake™ is an open-source data storage framework that brings reliability, performance, and governance features typically found in data warehouses to data lakes. It was developed by Databricks and is a foundational technology in modern Lakehouse architectures.

[3] Snowflake Cortex™ is an integrated AI service layer within the Snowflake platform that provides prebuilt and customizable AI functions — including large language model (LLM) inference — for analytics, data engineering, and application development.

[4] Mosaic AI™ is a unified generative AI platform within Databricks that enables enterprises to develop, deploy, and govern AI applications using their own data and scalable Lakehouse infrastructure.

The platforms have different philosophies, described as closed/managed vs. open/flexible. Snowflake optimizes for simplicity, concurrency, and SQL performance out of the box. Databricks optimizes for flexibility, openness, and the full data+ML lifecycle — but at the expense of operational complexity.

In practice, many organizations use both platforms:

• Snowflake for enterprise analytics and data sharing

• Databricks for large-scale machine learning and AI model development

Conclusion

AI is fundamentally transforming analytics architectures, turning data platforms into integrated, AI-powered environments that handle structured, semi-structured, and unstructured data — including streaming data — while supporting the entire machine learning lifecycle. These platforms enhance accessibility with natural language interfaces such as conversational analytics and text-to-SQL, and incorporate governance features like data lineage, model oversight, and regulatory compliance directly into the infrastructure. The result is a unified system where data ingestion, AI model development, and operational decision-making work together within a single, cohesive architecture.

Strategically, this shift indicates a move from viewing analytics as a support role to making it a central part of operations. Success is now judged not just by access to data but by the ability to deploy insights reliably, at scale, and with proper governance. Organizations that naturally align their data platforms, AI tools, and decision-making processes — rather than keeping them separate — will be better positioned to simplify their architecture, reduce AI risks, and deliver measurable business results.

About Green Leaf

Green Leaf Consulting Group offers practical experience in helping financial organizations leverage data for risk management, customer analytics, digital transformation, strategic decision-making, and AI-driven innovation.

References

1. Wirth, R. and J. Hipp. CRISP-DM: Towards a standard process model for data mining. 4th International Conference on the Practical Applications of Knowledge Discovery and Data Mining. 2000.

2. Chapman, P., CRISP-DM 1.0: Step-by-step data mining guide. 2000, SPSS: Netherlands.

3. Data Science PM, What is TDSP? 2025. https://www.datascience-pm.com/tdsp/

4. Ferrara, E., Data in the Evolving World of Life Sciences: Chaos to Order. Greenleaf Group Insights, 2025. https://greenleafgrp.com/insights/data-in-the-evolving-world-of-life-sciences-chaos-to-order/

5. Ferrara, E., Risk, Regulation, and Trust: Why Data Governance Defines Leadership in Banking and FinTech. Greenleaf Insights, 2026. https://greenleafgrp.com/insights/risk-regulation-and-trust-why-data-governance-defines-leadership-in-banking-and-fintech/

6. Crowdflower, Data Science Report. 2016. https://www2.cs.uh.edu/~ceick/UDM/CFDS16.pdf

7. Anaconda, 2023 State of Data Science Report — AI Takes Center Stage. 2023.

8. Anaconda, 8th Annual State of Data Science & AI Report: How Companies Are Moving Ahead — Or Not — In the AI Race. 2025.

9. Clegg, N., et al., AI Governance Alliance: Briefing Paper Series. 2024.

Footnotes

Tableau — Provides a powerful data visualization and business intelligence platform that enables users to explore and analyze data through visually engaging dashboards. It allows organizations to turn raw data into actionable insights, fostering a data-driven culture (www.tableau.com).

Microsoft Power BI — A robust business intelligence platform designed to transform raw data into meaningful insights through interactive dashboards and reports. This cloud-based service integrates seamlessly with the Microsoft ecosystem, providing powerful data visualization and analytics capabilities for users across various industries.

Data Preparation statistic — The “30% to 75% of data science effort is spent on data preparation” statistic is widely cited in industry and academic literature and originates from multiple consistent observations across surveys and practitioner reports.

AI Data Cloud — Snowflake now uses the term AI Data Cloud as part of their branding. In the past the industry term Cloud Data Warehouse has also been used.

Neural network — A computational model composed of layers of interconnected nodes (neurons) that transform input data through weighted mathematical operations to learn complex relationships and make predictions.

Transformer architecture — A neural network design used in modern AI systems, especially large language models (LLMs), that enables machines to understand relationships between words, sequences, or data elements using a mechanism called attention.

Apache Spark™ — An open-source unified analytics engine for distributed data processing that supports batch processing, streaming, machine learning, and SQL-based analytics at scale.

Delta Lake™ — An open-source data storage framework that brings reliability, performance, and governance features typically found in data warehouses to data lakes. Developed by Databricks, it is a foundational technology in modern Lakehouse architectures.

Snowflake Cortex™ — An integrated AI service layer within the Snowflake platform that provides prebuilt and customizable AI functions — including large language model (LLM) inference — for analytics, data engineering, and application development.

Mosaic AI™ — A unified generative AI platform within Databricks that enables enterprises to develop, deploy, and govern AI applications using their own data and scalable Lakehouse infrastructure.

Preface

This article is part of a series developed for Greenleaf Group to highlight the complexity of data and its use across organizations of all sizes and across vertical industries. The first four articles in this series focused on the life sciences industry. Subsequent articles will focus on other industries and on technology providers promising to revolutionize data analytics through Artificial Intelligence.

Compliance, Regulation, and National Security

Preface

This article is part of a series developed for the Greenleaf Group to highlight the complexity of data and its use across organizations of all sizes and across vertical industries. The first four articles in this series focus on the life sciences industry. Subsequent articles will focus on other industries and on technology providers promising to revolutionize data analytics through artificial intelligence.

Introduction

In my past two blogs, I explored the role of data in life sciences, first through the lens of research and development and medical affairs, and then through the principles of quality and compliance in manufacturing. This next frontier takes that discussion one step further. Today, compliance and regulation in life sciences extend beyond clinical and manufacturing oversight; they now intersect with national security. As data volumes grow and global collaboration increases, protecting sensitive health and research information has become not only a matter of privacy and ethics but also of geopolitical importance.

Historically, life science organizations had to worry only about the United States Food and Drug Administration (FDA), the European Medicines Agency, and other countries’ pharmaceutical regulatory agencies.

In general, Life Science companies operated outside the scope of US national security regulations and exemptions from US Privacy laws. The United States has recognized that certain countries maintain an adversarial stance towards it.

Protecting Americans’ Sensitive Data from Foreign Adversaries

On February 28, 2024, President Joe Biden signed an executive order expanding the scope of Executive Order 13873 (May 15, 2019) and Executive Order 14034 (June 9, 2021) – Protecting Americans’ Sensitive Data from Foreign Adversaries. President Biden issued this order in response to certain countries attempting to steal various types of sensitive bulk personal data [KB1] [EF2]. From the administration’s perspective, this appropriation of this information constituted an unusual and extraordinary threat, originating in whole or in substantial part outside the United States, to the national security and foreign policy of the United States. Access to Americans’ bulk sensitive personal data or United States Government-related data increases the ability of countries of concern to engage in a wide range of malicious activities. Countries of concern could use advanced technology (e.g., artificial intelligence) to analyze and manipulate large volumes of sensitive personal data to engage in espionage, influence kinetic or cyber operations, and identify strategic advantages over the United States.[1]

Building on the Biden Era Executive Order

In April 2025, the United States Department of Justice’s (US-DOJ) Final Rule Restricting Transfers of Bulk Sensitive Personal Data took effect, marking a watershed moment for national security and biomedical research. Codified at 28 C.F.R. Part 202, the rule implements President Biden’s Executive Order 14117, which prohibits or restricts US persons from providing bulk sensitive personal data—or any government-related data—to “countries of concern” or entities under their control. [1]

On April 8, 2025, the Trump administration finalized an executive order that expanded the Biden administration’s language and specifically targeted the life sciences industry.[2]

The implications of this rule are significant for the life science industry. Life science companies and their medications frequently rely on human genomic, clinical, and biomarker data. The rule’s reach extends beyond espionage prevention; it rethinks how biotech, pharma, and digital health companies handle cross-border data, manage vendors, and design research collaborations.

A New National-Security Frontier in Data

The United States Department of Justice deems foreign exploitation of Americans’ health and genomic data an “unusual and extraordinary threat.”

The new rule closes a significant gap in US national security authorities: until now, foreign adversaries could buy or license US data through commercial IT. In Deputy Attorney General Todd Blanche’s words, “Why hack it when you can buy it?”

The rule formally designates countries, including:

• China (including Hong Kong and Macau)

• Cuba

• Iran

• North Korea

• Russia

• Venezuela

These countries are designated explicitly as of concern because they demonstrate the intent and capacity to use such data for surveillance, coercion, or military advantage. [3]

What is “Bulk Sensitive Personal Data”?

Bulk United States sensitive personal data is any collection or set of sensitive personal data related to US persons, encompassing all formats. For life-science organizations, “bulk” means more than volume—it defines the regulatory threshold for restrictions. Under the Final Rule, any dataset—whether anonymized, pseudonymized, or encrypted—can trigger compliance obligations if it meets or exceeds these limits within 12 months.

This information includes anonymized, pseudonymized, de-identified, or encrypted data that meets or exceeds the thresholds set by the new regulations. Any combination of these types that meets the lowest threshold also qualifies as bulk. That means even a modest-sized clinical trial can fall squarely within the rule. See Tables 1, 2, and 3 below.

Key Aspects Life Science companies must evaluate how they handle bulk sensitive personal data and ensure that any commercial uses of this information do not include sales to the US-DOJ listed countries of concern.

Implications

To ensure compliance, Life Science companies must assess their business models to determine which information is covered by the new rule.

Covered Data Transactions

There are two types of government-related data. The first is any precise geolocation data, regardless of volume, for any location within any area enumerated on the Government-Related Location Data List in the original Biden executive order. The second type of government-related data is any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or retired senior officials, of the United States Government, including the military and Intelligence Community. These provisions also include “recent former employees” or “recent former contractors” – employees or contractors who worked for or provided services to the United States government, in a paid or unpaid status, within the past two years of a potential covered data transaction with a country of concern or covered person.

Table Notes and Definitions

Proteomics is the large-scale study of proteins, particularly their functions and structures. It involves the identification, quantification, and analysis of the entire set of proteins expressed by a genome, cell, tissue, or organism at a given time.

Transcriptomics is the study of the transcriptome, which comprises all the RNA molecules transcribed from the DNA in a cell or organism at a specific time. This field of research focuses on understanding gene expression patterns, RNA processing, and the functional roles of various RNA species.

Epigenomics is the study of the epigenome, the complete set of epigenetic modifications in a cell’s genetic material. These modifications do not alter the DNA sequence but can influence gene expression, cellular functions, and ultimately organismal development and health.

Key Prohibitions and Restrictions [4]

The US-DOJ separates “covered data transactions” into prohibited, restricted, and exempt categories.

Prohibited transactions include:

• Data brokerage—the sale, licensing, or commercial transfer of bulk data to a covered person or country of concern.

• Any transaction giving such entities access to bulk human ‘omic’ or biospecimen data.

• Restricted transactions include vendor, employment, or investment agreements with covered persons or countries of concern. These may proceed only if the US party adopts the Cybersecurity and Infrastructure Security Agency (CISA) security requirements and maintains a DOJ-compliant Data Compliance Program with annual audits and officer certification.

  Necessary Exemptions [4]

The new rule provides for some exempt transactions to protect legitimate scientific and regulatory activity:

• FDA-regulated clinical investigations and post-marketing surveillance using de-identified or pseudonymized data.

• Submissions required by the FDA or foreign health authorities.

• Federally funded research, telecommunications, financial services, and official US government business.

From Privacy to National Security

There is growing awareness among many governments worldwide that adversaries can weaponize various types of personal information. Unlike HIPAA or GDPR, which hinge on individual privacy and consent, the new DOJ rule is grounded in national security risk and applies to all information and events, including de-identified data. The US-DOJ’s National Security Division (NSD) explicitly likens the regime to export controls on data, placing it alongside sanctions administered by OFAC. US persons must “know their data”—inventory what they hold, where it flows, and who ultimately accesses it.

Data protection and national security fusion reflects a global trend: information is now a strategic resource. For life sciences, where genomic data is the new oil, the rule underscores that data sovereignty is security sovereignty. [5]

Impact on Life-Science Companies

In my first blog, I explained that intangible assets dominate the balance sheets of most modern companies. Other authors have noted “Data is the new oil” [6] [7]. Few industries rely more heavily on cross-border data sharing than biotechnology and healthcare. Clinical trials, genomic sequencing, contract research, and post-marketing surveillance all involve global data flows.

Yet these very strengths—data intensity and international collaboration—create exposure under the new rule. The rule’s breadth, departure from existing privacy-focused laws, and significant civil and criminal penalties mean life-science companies must now evaluate how to minimize risk in prohibited and restricted transactions

For many of Green Leaf’s life sciences clients, these shifts have prompted a reassessment of how data is stored, shared, and governed. Cloud strategy, vendor selection, and data classification polices now carry implications that reach beyond compliance.

Violations

Like other regulations with criminal liability, violating the new rule is a serious issue. Violations carry civil penalties up to $368,000 or twice the transaction value, and criminal penalties of $1 million and 20 years’ imprisonment for willful acts.

Life Science’s Plan for Action [4]

Life Science companies that generate and use bulk “omic” information must:

• Establish a Data Compliance Program – A written, risk-based program identifying data types, transaction parties, and data-flow maps; certified annually by a senior officer.

• Conduct independent audits – Annual audits verifying adherence to CISA security controls and compliance procedures.

• Maintain records for ten years – Covering transaction details, licenses, advisory opinions, and audit results.

• Report certain events – Including rejected prohibited transactions and suspected onward transfers to countries of concern.

• Develop an Action Plan that includes:

  • Map global data flows

  • Screen Counterparties

  • Amend contracts

  • Leverage exemptions

  • Integrate security frameworks

  • Educate leadership

Conclusion

As noted in my prior posts, the life science sector is experiencing a data revolution. From drug development to regulatory approval and manufacturing, Data analytics and AI are unlocking insights across genomics, clinical trials, and precision medicine.

However, with innovation comes exposure: the same datasets that enable breakthroughs can also reveal national vulnerabilities if exploited by adversaries.

The DOJ’s Data Security Program signals that data protection is now a matter of national defense, not merely corporate compliance. For life-science companies, aligning discovery with defense isn’t optional—it’s the new operating reality.

The 2025 DOJ Data Rule marks the first comprehensive US attempt to treat personal and biomedical data as a strategic asset. Life science organizations that proactively build compliant, risk-based data security programs will not only avoid penalties—they will also earn trust as stewards of America’s future genomic and health data.

Green Leaf Consulting Group is well-positioned to assist Life Science companies in understanding the risks. The experts at Green Leaf can design and implement a compliance action plan for the new rule, providing data flow analysis, information supply chain mapping, contract review, and modification of information security frameworks (policies and procedures). They can also educate leaders and managers on the implications of these changes and how to address them.

References

1. Biden, J.R., Executive Order 14117 of February 28, 2024, T.W. House, Editor. 2024, US Federal Register, Washington, DC.

2. Pierce, J.C., et al., Life Sciences Companies Must Navigate the DOJ Data Rule, in Goodwin - Alerts. 2025, Goodwin LLP: Boston, MA.

3. Division, N.S., Data Security Program: Compliance Guide, U.S.D.o. Justice, Editor. 2025, United States Department of Justice - National Security Division: Washington, DC.

4. Section, N.S.D.F.I.R., National Security Division Data Security Program Compliance Guide - 04112025, U.S.D.o. Justice, Editor. 2025, United States Department of Justice: Washington, DC.

5. Egan, M., et al., The DOJ’s Bulk Sensitive Personal Data Rule’s Imminent Relevance to Life Sciences Companies, in Cooley Alert. 2025, Cooley LLP: Palo Alto, CA.

6. Bhageshpur, K., Data Is The New Oil -- And That’s A Good Thing, in Forbes Technology Council. 2019, Forbes.

7. Technology, O.I., The DOJ Big Data Act: What Insurers Need to Know. 2025, OIP Insurance Technology: Henderson, NV.

Preface

This article is part of a series developed for Greenleaf Group to highlight the complexity of data and its use across organizations of all sizes and across vertical industries. The first four articles in this series focus on the life sciences industry. Subsequent articles will focus on other industries and technology providers promisi…

Read more

This article is part of a series developed for Greenleaf Group to highlight the complexity of data held and used by organizations of all sizes and across vertical industries. The first four articles in this series focus on the life sciences industry. Subsequent articles will focus on the financial services industry and on technology providers promising to revolutionize data analytics through Artificial Intelligence.

Introduction

Data has become the lifeblood of the life sciences industry, powering everything from clinical trials and regulatory filings to precision medicine and digital therapeutics. Yet as data volumes grow, so do the challenges of managing, protecting, and deriving value from it.

Drawing on my experience as a former CISO at a $12B biopharma and an industry analyst at Forrester, I’ve seen firsthand how organizations struggle to balance innovation with security, compliance, and governance. The real opportunity lies in transforming data from a byproduct of operations into a strategic asset that drives scientific discovery and business growth. [MM1] While at Forrester, I focused on issues of importance to the Chief Information Security Officer. Most of my colleagues worried about the technical aspects of the network, operating system, and application security. I touched on those as well; however, I focused on management issues, such as what a modern cybersecurity team looks like and the financials of cybersecurity. Why does any company need to protect its information assets? If they believe they do, is there a quantitative rationale for such protection?

The answer became clear when I researched the balance sheets of large corporations. What I found is that, for a vast majority of large organizations, the makeup of their assets on the balance sheet consists of what financial analysts term intangibles. [MM2]

According to International Financial Reporting Standards (IFRS), assets are without physical substance. However, companies expect intangible assets to generate economic returns for the company in the future. As a long-term asset, this expectation extends beyond one year or one operating cycle [1]. The IFRS word choice is Interesting: “non-monetary assets without physical substance.” Yet, these are still assets and in balance perhaps the most valuable of all.

This is especially true for life sciences companies; information security isn’t just about protecting networks or applications, it’s about safeguarding intellectual property, patient data, and clinical trial integrity. Most assets on a biopharma’s balance sheet are intangible — data, IP, and other non-physical assets that generate future economic value. Protecting and maximizing the value of these assets is critical for long-term success.

The World Intellectual Property Organization estimates that the global value of all intangible assets has surpassed 80 trillion US dollars worldwide [2].

Figure 1 - Global Intangible Asset Growth 1996-2004

In the same report, the authors note that technology and pharmaceutical companies continue to dominate among the most intangible asset-rich firms. Life sciences companies that made the top firm list include Novo Nordisk, AstraZeneca, and Teva Pharmaceuticals [2].

So, what can we get from this information? Data represents a vast share of the wealth in the modern economy. Learning to leverage this asset is a critical success factor for all life sciences companies. Other businesses must master the discipline of creating data value.

Life sciences companies are now exploring new frontiers for the creative use of data [MM3] [ESF4] across multiple areas. Let’s look at two important ones. I will cover additional dimensions in subsequent posts.

Research & Development (R&D)

Data has always been intrinsic to the research and development process for life sciences. For example, analyzing the results of a clinical trial can involve collecting large samples of patient data on their disease response to the new medication and, equally important, how this compares with patient responses who received a placebo during the trial.

“All clinical trials and many observational studies have a designated primary outcome of interest, which is the quantitative metric used to determine the effect of the treatment or exposure. The statistical properties, such as the probability distribution of the outcome variable and quantifying changes in said variable due to the exposure, are of primary importance in determining the choice of statistical methodology.” [3]

Artificial Intelligence is now impacting R&D as life sciences companies seek more cost-effective ways to bring drugs to market. Data science has emerged as a cornerstone for decision-making and problem-solving across various sectors, with potentially transformative implications for life sciences and healthcare organizations. Sloan Partners, a life sciences executive search firm, reports that the ability to analyze vast amounts of data accurately and quickly to extract meaningful insights has revolutionized how we approach scientific research and development, clinical practices, diagnostics, drug development, and patient care. [4]

Medical Affairs (Pharmaceutical Market Influence)

Another example is Medical Affairs. Medical Science Liaisons engage healthcare providers (HCPs) and Key Opinion Leaders (KOLs) to share scientific information and build relationships with these influencer groups.

Using various types of data to leverage medical affairs information for better patient outcomes:

• Harnessing real-world data and clinical insights.

• Influence physician prescribing behaviors

• Payer decisions

• Market access and reimbursement strategies

Using this information, life sciences companies judge market perceptions as well as measure the effectiveness of their medications in the marketplace.

I chose just two possible areas where data is critical to life sciences organizations. There are other use cases where data is essential for life sciences organizations. Other examples include finance, facilities, operations, manufacturing, sourcing, and logistics.

Using just these examples, it is obvious why information and data assets represent a significant part of a life sciences company’s balance sheet.

Green Leaf Consulting Group brings hands-on experience in helping life sciences companies harness the power of data within research and development and medical affairs. From ensuring data integrity in clinical research to delivering compliant, insight-rich reporting for medical affairs teams, we help organizations turn data into a strategic advantage that advances science and enhances patient care.

In this series of articles, I will explore the various dimensions of information and data assets and why mastering an organization’s data assets will define the winners and losers in the next decade. In my next post, I will explore the other data dimensions that drive life sciences organizations, including direct monetization (a controversial topic), return on investment (ROI), business value creation through data-driven optimization, and the 800-pound gorilla in the data science room – AI.[MM5] [ESF6] [MM7]

References

1. Mackie, C., Intangible Assets: Measuring and Enhancing Their Contribution to Corporate Value and Economic Growth: Summary of a Workshop. 2009, The National Academy of Sciences: Washington, DC, USA.

2. Brown, A., et al., The Value of Intangible Assets of Corporations Worldwide Rebounds to an All-Time High of USD 80 Trillion in 2024, W.I.P. Organization, Editor. 2024.

3. Smeltzer, M.P. and M.A. Ray, Statistical considerations for outcomes in clinical research: A review of common data types and methodology. Exp Biol Med (Maywood), 2022. 247(9): p. 734–742.

4. Sloan Partners, The Growing Importance of Big Data & Data Science in Life Sciences & Healthcare, in Sloan Partners - Insights. 2024, Sloan Partners: https://slonepartners.com

This article is part of a series developed for Greenleaf Group to highlight the complexity of the data and data use in organizations of all sizes and across vertical industries. The first four articles in this series focused on the life sciences industry. Subsequent articles will focus on the financial services industry and on technology providers promising to revolutionize data analytics through Artificial Intelligence.

Introduction: Macro and Micro Views on the Use of Data in Financial Services

In past articles, the views and observations expressed were primarily from a micro-level perspective on the use of data within a specific domain. It could be argued that the datasets reviewed are tactical, addressing specific business processes. [1, 2]

This article shifts the focus to a broader picture – how broad changes in the world economy and political and economic shifts will make data significantly more important for solving strategic challenges.

Modern data science is built on the power of big data, and as I pointed out, it is easy to get lost in the sea of data; however, being lost in a sea of data does not mean we can’t or shouldn’t attempt to identify patterns and trends in the information. The financial services industry is changing, and the pace of change is accelerating.

The first FinTech, Security First Bank, was created in 1995 and sparked recognition that financial services could be improved through technology. [3] Innovations introduced by FinTechs such as Security First and its successors greatly influenced traditional banks, forcing them to adopt new technologies to remain competitive.

Two Models, One Trust Imperative

Traditional banks and FinTech companies often view themselves as fundamentally different. Banks emphasize stability, regulatory compliance, and balance sheet strength. FinTechs emphasize speed, innovation, customer experience, and platform-driven growth. Yet beneath these differences lies a shared reality: both are now data-centric financial institutions and depend on trust built through responsible data use.

Since then, digital channels, real-time payments, embedded finance, and AI-driven decisioning have become ubiquitous, and the distinction between banks and FinTechs continues to blur. Regulators increasingly treat FinTechs as systemically relevant financial actors, while banks adopt FinTech-style architectures and operating models. In this converging landscape, risk, regulation, and trust are no longer institution-specific concerns but are data-driven imperatives.

Risk Is No Longer a Balance Sheet Issue Alone

For decades, banks managed risk primarily through capital adequacy, credit underwriting discipline, and market exposure controls. FinTechs, by contrast, often framed risk in terms of platform reliability, fraud prevention, and growth sustainability. Today, both models face the same underlying truth: risk has become a data problem.

Data Quality and Interpretation

Poor data quality can distort credit models, increase false positives or negatives in fraud detection, undermine stress testing, and lead to unfair or non-compliant customer outcomes. As automation accelerates, errors propagate faster and farther.

New Pressures

As capital fractures amid geopolitical tensions (trade and kinetic conflicts), technological advancements, and demographic trends, global commerce and financial services business models must adapt. Not only are there more variables in play than usual, but the sector’s pace of change (adaptation) is accelerating at a speed never imagined. Executives are trying to navigate the complexities of a multi-shock world, where the only thing firms can be certain of is uncertainty. World events are rapidly reshaping the financial services landscape; resilient companies will focus on having the data, analytical capability, and leadership to pivot toward opportunity and away from uncontrolled risk. [4]

This is not a new problem. Information has always been instrumental in decision-making. Richard Hamming (1915-1998) is credited with coining the phrase “You get what you measure.” [5, 6]

However, bias can deceive us, allowing us to see things as we want to, rather than as they really are. We may think our measurements are accurate, but personal desires cloud the analysis, and we create false narratives.

The 2008 Financial Crisis

The 2008 global financial crisis was the worst economic disaster since the Great Depression. It caused upheaval in financial markets worldwide, brought down major banks, and left millions of people without homes, jobs, or savings. At its core, the crisis stemmed from a toxic mix of deregulation, excessive risk-taking, lax lending standards, and the bursting of a massive housing bubble. But the seeds of the crash were sown over many years through flawed policy decisions and unchecked market excesses.

One of the most significant lessons learned from the global financial crisis that began in 2007 was that banks’ information technology (IT) and data architectures were inadequate to support the broad management of financial risks. Many banks could not aggregate risk exposures and quickly and accurately identify concentrations at the bank group level, across business lines, and between legal entities. Some banks were unable to manage their risks effectively due to weak risk data aggregation capabilities and risk reporting practices. This had severe consequences for the banks themselves and for the stability of the financial system overall. [7]

The data had been there for some time, and a time bomb and an equivalent financial time bomb had been set, with the fuse lit. As Michael Burry observed in a New York Times Op-Ed article written after the crisis, many formerly prestigious firms (Lehman Brothers, Bear Stearns, and others) collapsed. Several factors caused the crash. [8]

In 2008, after the crash, Alan Greenspan, the former chairman of the Federal Reserve, admitted he had made a mistake. He is quoted as saying:

“I made a mistake in presuming that the self-interest of organizations, specifically banks and others, was such that they were best capable of protecting their own shareholders,” he said. [9]

Regulation, Innovation, and Uncertainty

Economists widely expect that the extensive use of leverage across the financial system, combined with policy efforts to lower interest rates in support of economic growth, will increase inflationary pressures. For banks, FinTechs, and investors, this environment heightens uncertainty about asset valuations, funding costs, and long-term capital allocation. At the same time, regulators are struggling to keep pace with the rapid pace of change in financial services, while market indicators suggest that sophisticated institutional investors are increasingly diversifying exposure away from the U.S. in search of more stable or higher-growth opportunities abroad. [4]

Regulatory focus is intensifying around data lineage, technology controls, and algorithmic decision-making—areas at the core of modern FinTech and digital banking models. As a result, FinTech firms are facing bank-like regulatory expectations much earlier in their growth cycles, particularly in domains such as consumer protection, operational resilience, model governance, and data management. For investors, this shift materially alters risk profiles, compliance costs, and time-to-scale assumptions, while for institutions, it reinforces the need to embed regulatory readiness in product and platform design from the outset. [10]

The financial services sector is entering a period of meaningful regulatory realignment. Shifting political priorities, macroeconomic volatility, and rapid technological innovation are prompting regulators worldwide to reassess how financial oversight should be applied in a digital-first economy. In the United States, agencies including the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) are evolving their supervisory approaches to address emerging risks associated with non-bank financial institutions, embedded finance, and technology-driven business models. For banks and FinTechs alike, regulatory engagement is increasingly a strategic function rather than a purely compliance-driven exercise. [4]

At the same time, digital assets and cryptocurrency markets are shifting from speculative experimentation toward regulated financial infrastructure. The emergence of central bank digital currencies (CBDCs), growing institutional participation, and increased regulatory scrutiny are redefining how digital assets fit within the broader financial ecosystem. For investors and financial institutions, this evolution presents both opportunity and risk: blockchain-enabled settlement, tokenized assets, and programmable money offer efficiency gains and new revenue models, while regulatory uncertainty and jurisdictional fragmentation remain key concerns. The next five years will be decisive as policymakers, market participants, and investors seek to balance innovation with regulatory discipline—determining whether digital assets become a catalyst for financial system modernization or a constrained niche within it. [11]

Explainability as a Trust Requirement

To maintain customer trust, institutions must clearly explain how they make data-driven decisions. Explainability is no longer optional—it is a regulatory, legal, and reputational imperative. Regulators and customers will demand it as a key performance indicator. Customers choose providers based on transparency, fairness, and data stewardship. Trust increasingly determines market success.

The Cost of Weak Data Governance

Weak governance leads to regulatory fines, customer attrition, operational inefficiencies, and strategic hesitation. Strong governance enables speed, innovation, and trust.

Executive Accountability

Data leadership is executive leadership. CIOs, CTOs, CISOs, CROs, and CFOs must align governance with a clear-sighted assessment of what the data shows, so that it supports the institution’s strategy and maintains customer trust and regulatory compliance. A response from the executive suite that there was “no way of knowing” in the event of a major market correction will not suffice.

Conclusion

Data unifies risk, regulation, and trust. Institutions that master data governance will lead in banking and FinTech over the next decade. Greenleaf has data experts and C-level interim executives on staff who can develop a cost-effective, practical data governance program that addresses regulatory and operational risk and provides proof points for clients and their customers that they take data protection, privacy, and innovation seriously. If you have these concerns and would like an objective review, please contact the Greenleaf Group or

Strategic Technology Advisors.

References

1. Ferrara, E., Data in the Evolving World of Life Sciences_ Chaos to Order, in Greenleaf Group - Insights, M. Miner, Editor. 2025, Greenleaf Group: https://greenleafgrp.com/insights/data-in-the-evolving-world-of-life-sciences-chaos-to-order/.

2. Ferrara, E., Why Data Now Defines Value in Banking and Financial Services, in Greenleaf Insights, M. Miner, Editor. 2025, Greenleaf Group: https://greenleafgrp.com/insights/why-data-now-defines-value-in-banking-and-financial-services/.

3. Wikipedia, Security First Network Bank. 2025.

4. Peter, P., What will be left of financial services tomorrow?, in PWC - Insights. 2025, PWC: https://www.pwc.com/us/en/industries/assets/industry-edge-financial-services-tomorrow.pdf.

5. Ferrara, E., Data in the Evolving World of Life Science (Part 2), in Greenleaf - Insights, M. Miner, Editor. 2025, Greenleaf Group: https://greenleafgrp.com/insights/data-in-the-evolving-world-of-life-sciences-part-2/.

6. Hamming, R.W., Hamming, “You Get What You Measure” (June 1, 1995). 1995: YouTube.

7. Adachi, M., et al., Principles for effective risk data aggregation and risk reporting, F. Vargas, Editor. 2013, Bank for International Settlements: Basel, Switzerland.

8. Burry, M., I Saw the Crisis Coming. Why Didn’t the Fed?, in The New York Times. 2010, The New York Times: New York, NY, USA.

9. Beattie, A. and J. Politi, ‘I made a mistake,’ admits Greenspan, in Financial Times. 2008, Financial Times: London, UK.

10. Sheth, N., Fintech’s Next Big Challenge? Thriving In An Era Of Regulatory Uncertainty, in Forbes. 2025, Forbes Media: New York, NY, USA.

11. Kumar, U., 7 Trends of AI and Data Science in 2026. Medium, 2026.

I wrote the first version of this paper as Vice President, Principal Analyst at Forrester Research. Much has changed since 2012, when the first version was published.

Modern organizations run on information. Product design, digital services, supply chains, and customer experiences are all powered by data that can be copied, stolen, encrypted, or manipulated at very low cost by increasingly professionalized threat actors. At the same time, boards and executive teams expect chief information security officers (CISOs) to justify security spend with the same financial discipline that applies to any other investment. This was true in 2012 and is still true today.

This paper presents an updated 2025 version of Forrester’s Information Security Value Model. [1] This paper reframes information security as an economic function that protects and enables revenue, rather than a pure cost center. The model helps CISOs:

1. Value information assets in business terms.

2. Quantify fixed and variable security costs.

3. Estimate expected loss using modern risk-quantification techniques.

4. Express security value as a transparent, decision-supportive financial ratio.

I also provide a practical implementation roadmap, updated terminology aligned with today’s cloud- and AI-driven environments, recommendations for enhancing visuals and dashboards, and guidance on telling a clear financial story about cyber risk to senior leadership and the board.

2 Introduction: Why Security Economics Matter in 2025

Security and risk leaders face a paradox. Cyber risk is growing in frequency, impact, and complexity, yet security budgets are not keeping pace and, in many organizations, are effectively flat in real terms. Regulators, customers, and investors expect stronger controls, better resilience, and faster incident response, while executive teams expect security to enable digital growth rather than constrain it.

In this environment, qualitative arguments and generic industry benchmarks are no longer sufficient. CISOs must demonstrate how security investments reduce expected losses, protect revenue, and align with the organization’s risk appetite. They need a security business model that mirrors the economic rigor used by attackers and their finance peers. The Information Security Value Model addresses this need by pairing information asset valuation with cost and risk modeling, enabling security to be managed as a portfolio of economic decisions.

3 The Modern Threat Landscape and Attacker Economics

Cybercriminals and state-aligned actors now operate as sophisticated businesses. Ransomware-as-a-service platforms, credential markets, and initial-access brokers have created a mature ecosystem in which each actor specializes in a segment of the value chain. Cloud environments, remote work, and ubiquitous APIs have expanded the attack surface, while automation and AI tools enable adversaries to scale operations at relatively low incremental cost.

The economics of this ecosystem are clear: attackers target the information and systems that generate the most value. This includes intellectual property, payment and customer data, operational technology, and the digital platforms that underpin service delivery. They pursue the highest payoff for the lowest effort and risk. For example, encrypting a small number of high-value databases or compromising a key cloud identity provider may yield more leverage than a broad but shallow intrusion. In effect, attackers perform their own informal cost–benefit analysis of an organization’s information assets.

If security leaders cannot explain the economic value of the information they protect, they will struggle to compete with attackers. Adopting a clear financial model for security is therefore not optional; it is a prerequisite for effective strategy and credible decision-making.

4 Information as a Revenue-Producing Asset

Traditional accounting treats information as an intangible asset, if it is recognized at all. Hardware, office buildings, and manufacturing equipment appear explicitly on the balance sheet, but the data that drives modern business models often does not. In 2025, this perspective is increasingly detached from reality. Information is a primary input to revenue-generating activities and should be managed accordingly.

For this model, we define the economic value of an information asset as the share of current and future revenue that depends on the availability, integrity, and confidentiality of that information, minus the direct and indirect costs of creating, managing, and protecting it. This definition makes information value explicitly conditional on business use: data that no longer supports products, services, or regulatory obligations has little or no economic value and should be archived or deleted.

To make this definition operational, we categorize information into three broad types:

1. Revenue-generating information: directly tied to products or services sold to customers, such as software source code, pricing models, or customer transaction data.

2. Risk- and compliance-driven information: not directly revenue-generating but required to satisfy legal, regulatory, or contractual obligations, such as employee records or regulated financial and health data.

3. Supporting information: enables internal efficiency or decision-making, such as analytics data, internal process documentation, or training materials.

5 The 2025 Information Security Value Model

The Information Security Value Model quantifies how security investment relates to the value of information assets and the risk of loss. It consists of four significant steps:

1. Map information assets to business capabilities and revenue streams.

2. Quantify fixed and variable security costs associated with those assets.

3. Estimate expected loss by modeling threat scenarios and control effectiveness.

4. Calculate security value and optimize the security investment portfolio.

5.1 Map Information Assets to Business Capabilities and Revenue

Start with the business, not the technology. Work with product, sales, operations, and finance stakeholders to identify major revenue streams and the capabilities that support them—for example, digital commerce, subscription services, manufacturing, or logistics. For each capability, identify the critical information assets that must be available and trustworthy for that capability to function.

For each asset–capability pair, assign a proportional contribution to revenue. In some cases, this will be direct and obvious—for example, an e-commerce customer database that is required for order processing. In other cases, the relationship is indirect or shared across multiple products. The goal is not perfect precision but a consistent, defensible mapping that can be refined over time.

1.1 Quantify Fixed and Variable Security Costs

Next, classify your security costs as either fixed or variable and associate them with the information assets you have just mapped. Fixed costs are those that do not fluctuate significantly with incident volume over the short term, such as permanent staff, core tools, and baseline compliance obligations. Variable costs are triggered or increased by events, such as major breaches or new regulatory findings.

Typical fixed costs include:

1. Core security tooling (identity, endpoint, network, cloud, SIEM/XDR).

2. Baseline compliance activities (audits, assessments, certifications).

3. Shared infrastructure charges for security services.

4. Typical variable costs include:

• Security staff salaries and benefits.^[1]

• Incident response and forensics.

• Legal counsel, regulatory notifications, and fines.

• Customer communication, call center surges, and credit monitoring.

• Ransom payments or operational downtime losses, where applicable.

• Post-incident technology changes, consulting engagements, and additional staffing.

Assign these costs to the information assets they primarily protect, using reasonable allocation keys such as percentage of control coverage, percentage of asset criticality, or revenue share. The goal is to determine how much you currently spend to protect each major revenue-producing or risk-sensitive asset.

1.2 Estimate Expected Loss Using Modern Risk Quantification

To move beyond qualitative heat maps, use modern risk quantification techniques to estimate the expected loss for each information asset. Frameworks such as FAIR (Factor Analysis of Information Risk) and Monte Carlo simulations enable you to model ranges of probable loss rather than single-point estimates.[2]

For each critical asset, identify plausible threat scenarios, such as credential compromise leading to data theft, ransomware affecting availability, or insider misuse of sensitive information. Assess how often each scenario could occur and estimate the potential impact on factors such as revenue loss, response costs, regulatory penalties, and long-term reputation damage. Conduct simulations to generate a distribution of annualized loss exposure rather than relying on a single number.

This expected loss is a key input to the security value calculation. It quantifies the downside risk that security controls are intended to mitigate.

1.3 Calculate Security Value and Optimize the Portfolio

With revenue contribution, cost, and expected loss estimates in place, you can now calculate the economic value of your security program. A practical way to do this is to focus on three core quantities for each major asset or asset group:

1. Revenue protected: the portion of revenue that depends on the asset being secure and available.

2. Expected loss avoided: the reduction in modeled loss due to existing or proposed controls.

3. Total security investment: the fixed and variable costs allocated to protecting the asset.

A simplified expression of security value at the portfolio level is: Security Value = (Expected Loss Avoided + Revenue Protected + Enablement Benefits) / Total Security Investment.

This approach promotes continuous improvement. Over time, you aim to increase the numerator—by enhancing control effectiveness and expanding secure digital business—while managing or decreasing the denominator through automation, consolidation, and better prioritization. Security decisions can then be evaluated using the same return-on-investment logic applied to other business initiatives.

1.4 Worked Example: Subscription SaaS Provider

Consider a hypothetical software-as-a-service company that derives 80% of its revenue from a multi-tenant cloud platform. A small number of information assets—such as the production customer database, authentication service, and billing system—are clearly critical. Using the steps above, the CISO and finance team determine the following:

1. 65% of annual recurring revenue depends on the availability and integrity of the production database.

2. 50% of that revenue would be at serious risk in a prolonged outage or a large-scale data breach.

3. The expected annualized loss exposure for the database, before control improvements, is modeled within a range that would meaningfully impact profitability.

The organization then evaluates several investment options, including enhanced backup and recovery, privileged access management, and stronger identity protection. For each option, the team estimates the expected reduction in loss and the impact on overall security investment. This analysis helps executives prioritize the controls that offer the greatest expected loss reduction relative to cost, while also considering qualitative factors such as customer trust and regulatory review.

2 Visuals, Tables, and Dashboards

To make the Information Security Value Model usable in day-to-day decision-making, present it through clear visuals and dashboards rather than dense spreadsheets alone. The following elements are particularly helpful for executives:

1. A revenue-to-asset map showing which information assets underpin which revenue streams.

2. A cost allocation table that summarizes fixed and variable security costs by asset group.

3. A risk curve that illustrates expected loss before and after key control investments.

4. A portfolio view that ranks assets by revenue contribution, expected loss, and current control strength.

For example, a dashboard might display each major asset as a bubble positioned by revenue contribution (x-axis) and expected loss (y-axis), with bubble size representing total security spend and color representing residual risk. This provides an immediate visual cue about where security investment may be misaligned with business value.

3 Communicating Security Value to Executives and the Board

Even the most rigorous model will fail to gain traction if it is not communicated in a language that resonates with executive stakeholders. CISOs should frame security conversations around business outcomes rather than technical metrics. Instead of leading with vulnerability counts or tool coverage, focus on revenue-at-risk, expected loss reduction, and alignment with the organization’s stated risk appetite.

Effective board reporting on security typically includes:

1. A concise narrative of the current threat environment as it relates to the organization’s strategy.

2. A summary of the most critical information assets and the revenue or mission outcomes they support.

3. Quantified estimates of expected loss and how key initiatives are changing that exposure.

4. A small set of leading and lagging indicators, such as time-to-detect, time-to-contain, and control coverage for high-value assets.

5. A forward-looking view of significant initiatives, dependencies, and investment decisions required in the next 12–24 months.

By consistently framing security in these terms, CISOs build credibility as business leaders who manage a portfolio of risk and return, rather than as purely technical experts seeking incremental budget.

4 Updated Terminology and Best Practices

The 2025 version of the model aligns with modern security architectures and operational practices. Key concepts include:

1. Zero Trust: assuming no implicit trust based on network location and continuously verifying user and workload identity.

2. Cloud-native security: embedding controls into infrastructure-as-code, CI/CD pipelines, and managed cloud services.

3. AI-augmented defense: leveraging analytics and machine learning to detect anomalies, prioritize alerts, and automate routine actions.

4. Continuous compliance: using automation to maintain and demonstrate adherence to regulatory and customer expectations.

5. Business resilience: integrating cybersecurity with business continuity, crisis management, and operational risk disciplines.

Incorporating these practices into the Information Security Value Model ensures that valuation and cost assumptions reflect today’s operating reality, including shared responsibility with cloud providers and the growing role of automation in both attack and defense.

5 Implementation Roadmap for CISOs

Adopting an economic model for information security does not need to be an all-or-nothing transformation. CISOs can proceed in phases, building credibility and insight along the way.

0–30 Days: Establish the foundation

1. Identify and document the top revenue streams and mission-critical outcomes.

2. Select an initial set of 5–10 critical information assets that support those outcomes.

3. Begin a simple revenue mapping exercise with business and finance partners.

30–60 Days: Build the model

1. Catalogue fixed and variable security costs and begin allocating them to the selected asset set.

2. Define a small number of threat scenarios for each asset and estimate frequency and impact ranges.

3. Use a lightweight risk-quantification approach to produce initial expected loss estimates.

60–120 Days: Operationalize and communicate

1. Refine the model using feedback from finance, risk management, and business leaders.

2. Create dashboards and visuals that present the model in executive-friendly terms.

3. Use the model to inform at least one major investment decision or reallocation of spend.

Ongoing: Iterate and expand

1. Regularly update assumptions based on new threat intelligence, incidents, and business changes.

2. Expand the asset set and improve cost allocation accuracy over time.

3. Track changes in expected loss and security value as part of quarterly performance reviews.

6 Conclusion

Cybersecurity is not a purely technical discipline. It is an economic function that protects and enables the information assets on which modern organizations depend. By treating information as a revenue-producing asset and quantifying both the costs and benefits of security, CISOs can make more informed decisions, communicate more clearly with executives, and compete more effectively with adversaries who already think in financial terms.

The Information Security Value Model presented here provides a practical framework for this shift. It enables security leaders to measure security value as a function of revenue protected and expected loss avoided, and to continuously optimize their investment portfolio in line with the organization’s strategy and risk appetite.

7 References

1. Ferrara, E.S., Determine the Business Value of an Effective Security Program — Information Security Economics 101.Forrester Research, 2012.

2. Jones, J., An Executive’s Guide to Cyber Risk Economics. 2011, RiskLens.

^[1] There is debate regarding employee salaries and benefits regarding the true variability of these costs.