We're on a journey here that spans across multiple posts, looking at the broader impacts of our shift to an information economy and an information society.
In my previous post, I attempted to make the case that information governance -- a centralized, business-oriented view of how information is gathered, used and managed across the enterprise -- would likely be an emergent theme; if not now, then certainly in the near future.
I also observed that risk avoidance associated with information management issues -- although a likely starting place for the discussion -- wasn't the be-all and end-all of how we might think about the topic.
In this post, I'd like to explain a bit about why information risk management will probably be not only the central theme behind information governance, but how it will probably dominate the IT security discussion in coming years.
Thinking About Information Risk
All it takes is a short tour around your business, and imagine the worst possible information in the worst possible hands.
Maybe it's a dump of your HR database showing up on a web site. Or your unique (and confidential) IP being emailed to a competitor. Or, perhaps you're collecting credit card information, or other personally identifiable information -- and it all goes missing.
How about a lawsuit where you're asked to produce business records, and you can't? Or perhaps sensitive email conversations becoming public record? Or your CEO or CFO loses their laptop?
Business leaders cringe when they think about these scenarios, as well they should. They've all happened -- repeatedly. And the economic consequences can range from harmless to billions of dollars.
Good businessed have been damaged. More than a few careers have been ruined. The wreckage of poor information risk management is obvious, substantial, and increasing.
Well-managed organizations understand this growing threat, and want to take steps to identity, remediate and manage this new form of risk.
But how?
We Know What Doesn't Work Well
Over the years, many different approaches have been tried, all with limited success. Stern memos from IT or the legal department exhorting us to be more careful. Tight security for databases (but not reports!). Locked-down laptops that require a call to IT to get anything working.
Even USB ports that have been superglued shut.
Sometimes the cure is worse than the disease. After all, people need to get at information freely to do their jobs. And, yes, we can lock down every potentially sensitive byte in an enterprise, but at what cost?
I (and EMC) have argued that all of this misses the fundamental problem -- identifying sensitive information whereever it might be, and taking appropriate steps.
Yes, There's A New Acronym
Most of the new thinking around these issues are generally described as DLP -- data loss prevention. And I, for one, consider this a much more promising approach to the problem than what we've seen in the past.
DLP -- as I understand it -- has some simple concepts with technology behind it.
The first concept is centralization -- one place to create definitions of what might be sensitive or not, one place to define resulting actions once sensitive information is encountered, one place to push everything out, one place to monitor and audit effectiveness.
Now, before you wince at the idea of another uber-framework to implement, I would offer that -- in this case -- centralization makes logical sense, as opposed to a piecemeal approach. In any large company, financial risk management is centralized -- why shouldn't information risk management be the same?
The second concept is endpoint enforcement -- being able to contextually scan information as it gets sent over a network, or via email, or IM, or lands on a laptop, or USB device, or perhaps a mobile device. Being able to scan what's leaving the enterprise -- in real time, and using a fair amount of smarts -- is an essential component.
The third concept is information at rest -- file systems, backups, etc. -- looking for sensitive information where you wouldn't normally look. My favorite example is the file shares we all use. In most shops, these aren't considered "sensitive backups" (e.g. encrypted), but when you think that the contents of every database is continually reported on, and those reports are stored in -- you guessed it -- a file system.
The fourth concept is contextual policy. There's a ton of context around who's doing what with different kinds of information -- roles and use cases come into play here. Policy outcomes might be a warning, or logging, or encryption -- all the way to outright blocking and a call to the security department.
And, finally, the fifth concept is auditing -- being able to log that you've found something sensitive, done something about it, and being able to track who's seen it, where it's gone, and so on.
EMC, as well as other vendors, are starting to offer reasonable complete DLP suites that combine the above functionality. Recently, EMC and RSA made a whole slew of announcements (here, here, here, here and here) that all orbit around these ideas.
I think it's fair to say that no vendor has an absolutely perfect solution at this point in DLP's evolution, but the trend is clear: organizations are going to need these capabilities sooner than later.
And, rather than wait for vendor offerings to mature, more than a few organizations are diving in and starting to understand this new approach to information risk management.
Maybe you're interested in this stuff, maybe not, but I can safely predict that these topics will be more interesting in the future, and not less.
Going Outside The Enterprise
It's one thing to secure information within an enterprise's boundaries. But it's another thing when sensitive information has to move between companies and organizations.
More and more industries are collaborating with external entities to get the job done. Sometimes it's around expertise: energy, drug research, aerospace, etc. Other times, it's a shared mission, e.g. public safety, healthcare, or defense. But mostly, it's bigger companies working with smaller specialists in one area or another, and -- to get the job done -- sensitive information has to be shared.
DLP will need to extend to secure collaboration environments. The ability to track information and assure how it's being used will need to work outside the enterprise as well as within, because that's how business is done these days.
Who Will Manage Information Risk?
This discussion begs the question of who will be accountable for identifying, remediating and managing information risk. Certainly, IT has an enormous role to play in identifying threats, implementing technology solutions, and assuring their effectiveness.
But who will IT partner with on this mission? Legal? Finance? The board of directors?
The answer isn't entirely clear, is it?
Comments