If you think that information security is all about networks and firewalls and secure passwords, you would be correct. But there is so much more to information security than infrastructure and making sure we change our passwords regularly. And you don’t have to look very hard to understand.
Think about all the well-known cyber attacks that exposed the personal information of millions of people. Think about the work you are doing to comply with the EU’s General Data Protection Regulation (GDPR) and how your information is spread across the company in silos, some of which are almost impossible to find.
The role of Information Security has evolved to support a wider mandate. Who better to help us understand the new role of the CISO (and how it interacts with Information Governance) than Joe Shepley, VP and Practice Leader at Doculabs, a strategy consulting company focused on information management and information security services.
A few highlights from the podcast.
Understanding Information Security
Joe said many still think of information security as firewalls and what those firewalls give you – a line of defense, building walls and defenses, keeping bad actors out and keeping bad actors (or ignorant actors) inside from putting out confidential information. Think technical – hardware, software. This hasn’t changed.
But what is changing is the idea that you can’t keep everyone out (pointing back to all those high profile breaches mentioned above). It has become more about minimizing the impact of breaches when they do happen.
“If our goal is to avoid them, we will always fail. The goal instead should be to make the eventual breach – have the risk be minimized, the impact be minimized and the overall damage – whether that’s reputational, financial, operational to the organization be minimized.”
Are CISO’s embracing this new view? Joe said the cutting edge ones are there. The ones who come from a more technical background, as security analysts look at things differently. Others are more realistic about goals.
Where Information Governance and Information Security Intersect
Ken Lownie, Everteam Chief Operations Officer, talked about how as an information governance software company, they are usually approached with a problem that starts with one of three items:
- I need to decommission a system
- I need to be compliant with something
- I just need to clean this content up
Joe said there is a lot overlap between information governance and information security. He gave the example of a healthcare company who stores many years of PHI. When a breach happens, it’s the CISO that gets called to the board and is on the hook for the severity of the impact of the breach – not the records manager, legal or IT.
This responsibility requires the CISO to play a major role in how information is managed, ensuring governance policies and procedures are followed.
Think about an application decommissioning project where you need to retain some of the content in that system and destroy others. The project may initially focus on ROI, but that same project serves as an interest to security because it’s that much less information you are storing that could be available during a breach. This is particularly true of older systems.
It’s very much about reducing the risk surface of the organization. Joe said.
The other example Ken offered focused on finding where all your information is located and cleaning it up. One of these locations is almost always a network drive. So the cleansing is critical from an information governance perspective, but also an information security perspective because network drives can be incredibly vulnerable.
Joe said older information that isn’t needed has no business value but is a land-mine worth of risk.
Information Security is a Catalyst for Information Governance Initiatives
The CISO talks with the Board of Directors a couple of times a year giving them a voice at the table because no one wants to be around when a breach happens. Joe said that typically 80-90% of the time funding for initiatives that have a security focus isn’t a problem, the challenge is more often deciding what to do with the money. That’s the complete opposite of IT and records management.
The Ideal InfoSec Project vs. the Ideal InfoGov Project
Joe described a typically Information Security Project:
- Perform initial strategy work
- Use of a tool to scan and do wrapper metadata
- File Analytics to look for PII, PHI
- Use that data to drive the rest of the work
- Policies and procedures to support clean-up, migration wor
- Execute the work
Ken described Joe’s information security project as a super set of information governance. Information governance projects typically address specific use cases – like decommissioning an app or a file remediation project. These projects use tools like file analytics, archiving and records management to help find information, enhance classification, identify ROT and perform archiving and migration to other systems or locations.
Want to Learn More?
Listen to the podcast to hear the entire conversation; it’s worth the twenty minutes. If you’re looking for more information on Information Governance or Information Security, check out these two resources: