The Data Minimalism Imperative: Why Less Really Is More for Public Sector Security

2024-03-05

Walk into almost any government agency—Singapore or elsewhere—and you’ll find this unspoken truth: we’re absolutely drowning in data. Sometimes it’s structured, sometimes it’s just piles of Excel files growing dusty on a SharePoint, but the problem is the same. Nobody asked, “Do we really need all this?” Instead, the quiet assumption is that more data means more power, insight, or control. In reality, it just creates a fat attack surface and a never-ending governance headache.

Here’s a conversation you’ll almost never hear in a risk committee: “Let’s aggressively delete 80% of our old PII because it creates more liability than value.” Why? Because most leaders aren’t incentivized to minimize—they’re told to be ‘ready’ for audits, to deliver shiny dashboards, and to never be caught saying “we don’t have that data” when someone from upstream comes asking. Even as privacy laws nudge us toward data minimization, the operational muscle memory just isn’t there. It’s easier to buy another SAN than to have a gnarly talk about which historical feeds are actually necessary.

After a decade in the trenches, I can count on one hand the number of times I’ve seen a Singapore public sector project deliberately scope out data points not to collect. Most agency templates still default to “collect everything up front, rationalize later”—which nearly always results in rationalizing never. The outcome? Excess data lives forever, risk registers get bloated, and nobody can answer with a straight face why they’re holding on to year-old IP address logs.

There’s a grim humor to it: we talk until we’re blue about the dangers of “shadow IT,” yet the most dangerous shadow systems are often the forgotten data caches you could trip over anywhere in the org. All it takes is one breach, and the question quickly becomes why you still had that five-year-old user export. With Singapore’s regulatory environment sharpening around breach notification and purpose limitation, the stakes are rising. Good luck trying to defend those “just-in-case” data sets to your DPO after a leak.

Practical advice? Make data minimization a living conversation, not a footnote on a policy doc. Demand that system owners justify what they collect and, more importantly, what they choose to retain. Reward early data retirement, not warehousing. Build relationships with privacy and audit teams who actually care about organizational risk, not just ticking policy boxes. Use DLP and discovery tools—but use them to clean house, not just to add another compliance report to the heap.

Will any regulator thank you for deleting unnecessary data before it becomes a headline? No. But when—not if—the next incident happens, the difference between “why was this still here?” and “it was deleted per policy six months ago” is the difference between being called negligent and being recognized as a CISO who gets it. As someone aiming for that chair, I’d rather be known for keeping it lean, not for letting data rot into tomorrow’s front-page.

It’s not glamorous, and there’s no awards ceremony for data you never kept. But disciplined deletion is what honest public sector security looks like. Everything else is just a future apology letter waiting to be drafted.