Back to Research

Defensive and Offensive Data Strategy

Organisations tend to over-index on either defensive data management (governance, compliance, quality) or offensive data exploitation (analytics, AI, monetisation) — rarely both. This framework provides a diagnostic for assessing your current balance and a sequencing model for building both capabilities without paralysing either.

Mal Wanstall · 11 min read ·

The Tension

Every data leader faces the same fundamental tension: the organisation needs robust data governance, quality, and compliance (defensive) and it needs analytics, AI, and data-driven decision-making that creates competitive advantage (offensive). Resources are finite, and the two agendas compete for the same people, platforms, and executive attention.

The common mistake is treating this as a sequencing problem — “we’ll get the foundations right first, then do the exciting stuff.” In practice, this means the offensive agenda is perpetually deferred, executives lose patience, and the defensive work loses its funding because it never demonstrates business value.

The opposite mistake is equally destructive: investing heavily in AI and analytics on top of ungoverned, poor-quality data, then wondering why models don’t perform and dashboards aren’t trusted.

A Diagnostic Model

I use a simple 2x2 assessment to diagnose where an organisation sits:

Defensive Maturity (vertical axis): How well does the organisation manage, govern, and protect its data?

  • Low: No consistent data quality standards, governance is ad hoc, regulatory compliance is reactive
  • High: Established data quality frameworks, active governance that influences decisions, proactive compliance

Offensive Maturity (horizontal axis): How effectively does the organisation use data to create value?

  • Low: Reporting is retrospective, analytics is ad hoc, AI initiatives are experimental
  • High: Analytics is embedded in decision-making, AI is in production, data products generate measurable value

This produces four quadrants:

Quadrant 1: Unmanaged (Low Defensive, Low Offensive)

The starting point for most organisations. Data exists in silos, there’s no coherent strategy, and any value generated is through individual heroics rather than systematic capability.

Priority: Establish Tier 1 foundational data products (see Data Product Taxonomy) and a minimal viable governance framework. Simultaneously identify one high-value offensive use case to build momentum and demonstrate value.

Quadrant 2: Controlled (High Defensive, Low Offensive)

Common in heavily regulated industries. Excellent data governance and compliance, but the capability is oriented entirely toward risk management. The data team is seen as a cost centre.

Priority: Reframe governance as an enabler of offensive value, not a constraint on it. Introduce data product thinking and fund offensive initiatives that explicitly leverage existing governance investments.

Quadrant 3: Exploitative (Low Defensive, High Offensive)

Common in fast-growing tech companies and organisations that have invested heavily in AI/analytics without corresponding governance. Impressive demos, but scaling is blocked by data quality issues, regulatory risk, and trust problems.

Priority: Retrofit governance without slowing offensive momentum. This requires careful intervention design — the worst thing you can do is impose heavy governance processes on teams that are delivering value. Instead, embed quality and governance requirements into the data product development lifecycle.

Quadrant 4: Balanced (High Defensive, High Offensive)

The target state. Defensive and offensive capabilities reinforce each other — high-quality governed data enables reliable analytics and AI, while offensive use cases justify continued investment in data management.

Priority: Maintain balance as the organisation scales. The most common risk at this stage is complacency — assuming the balance is self-sustaining when it actually requires active leadership attention.

Sequencing Principles

Based on experience across multiple organisations, I’ve identified five sequencing principles that apply regardless of starting quadrant:

1. Always Run Both Agendas in Parallel

Never fully pause offensive work to “fix the foundations.” The organisation needs visible value delivery to sustain investment in defensive work. Budget at minimum 30% of capacity to whichever agenda is weaker.

2. Use Offensive Initiatives to Drive Defensive Improvement

The most effective way to improve data quality is to build something that breaks when quality is poor. A customer propensity model that produces nonsense because of duplicate records is more compelling to a business sponsor than a data quality report.

3. Embed Governance in Delivery, Not Alongside It

Governance that exists as a separate process from delivery will always be treated as overhead. Embed quality gates, metadata capture, and access controls into the data product development workflow so that governed data is the path of least resistance.

4. Measure Both Agendas with Business Metrics

Defensive metrics (data quality scores, policy compliance rates) are necessary but insufficient. Translate defensive capability into business terms: “Our customer data quality improvement reduced marketing waste by $2M” is more powerful than “We improved the completeness score from 78% to 94%.“

5. Rotate People Between Agendas

The fastest way to break down the defensive/offensive divide is to move people between the two. Engineers who have built analytics products understand why governance matters. Governance specialists who have worked on offensive initiatives understand why speed matters.

Implications for the CDO Role

This framework has direct implications for how the Chief Data Officer role should be designed:

  • CDOs who report into Risk or Compliance will naturally over-index on defensive. Those who report into Technology will over-index on offensive. Neither reporting line inherently produces balance.
  • The most effective CDOs I’ve worked with maintain separate but coordinated teams for defensive and offensive agendas, with shared platforms and regular rotation between teams.
  • CDO success should be measured on both agendas simultaneously, with explicit targets for each. A CDO who delivers excellent governance but no business value has failed just as surely as one who delivers AI demos on ungoverned data.

This framework synthesises experience across financial services (where defensive maturity is typically high) and technology companies (where offensive maturity is typically high), and is informed by advisory work helping organisations move toward Quadrant 4.

data strategygovernanceanalyticsdata leadership

Interested in applying this research?

I work with a small number of organisations on strategy execution and data/AI capability challenges.

Advisory Subscribe to Newsletter