Many people consider Information Security to be merely a subset of the overarching practice of Information Governance, but it is more useful to understand IG as a coordinating authority delivering benefits from Records Management, Privacy, Compliance, Legal, and knowledge workers right to a security officer’s desk. When looking at Information Security in this context, it’s clear that Information Governance can dramatically improve Info Sec’s ability to perform its function.
So what are the primary benefits Information Security can expect from a comprehensive Information Governance program?
1. Defensible Deletion
a.k.a. Why protect it if you’re allowed to destroy it?
a.k.a. Hackers can’t steal what you’ve already deleted (except when you don’t do it right)
One of the main goals of Information Governance is coordinating and documenting all regulatory requirements, legal responsibilities, and business goals that require data to be retained for a certain period of time and/or deleted after a certain period of time. For those not familiar with the practice, it often results in what’s called a retention schedule, a hallmark tool in managing the information lifecycle.
One benefit of a retention schedule is to bolster confidence in pressing the delete button, allaying any fear that a business group, regulator, or court will eventually need documents that have been deleted according to policy. In practice, however, pressing delete is not always an easy task; but for anyone who has spent time considering all the risks of retaining data too long, it is an absolute must. We have even seen records managers giving each other high-fives for successfully deleting a few dozen Terabytes of information.
People often think of purging data as principally a benefit to IT (i.e., freeing up storage space), but the more important benefit is a reduction in surface area exposed to potential security breaches. Indeed, the best way to ensure data is not compromised in a breach event is to not have the data in the first place.
2. Information Classification
a.k.a. Avoid redundant work
a.k.a. Get someone else to do the work
Information Security plans are mostly concerned with classifying and protecting regulated information, such as protected health information (PHI), Payment Card Information (PCI), or Personal Data (per GDPR). Focusing on high-risk data types that could be potentially devastating if lost or compromised makes sense as a method for prioritizing limited resources.
Information Governance as a practice also pays special attention to high-risk data, but unlike most Information Security programs, there is also a focus on classifying high-value data and ensuring its availability. Indeed, IG programs aim to consider all data under the control of the company or its trusted third parties when applying a classification scheme, one that often features dozens of categories supported by professionally developed taxonomies.
Cybersecurity professionals should continue to approach classification and inventories from a risk-based approach, but by leveraging and coordinating with other groups in the organization that are applying broader and more detailed classification projects, a wealth of intelligence could be leveraged to inform an even better risk analysis for prioritizing resources.
Moreover, any technology investments focused on classifying data for legal or records could also be leveraged by Info Sec, or at the very least integrated with other tools such as DLP. Ideally, the classification process should have input from all stakeholders within an organization to make sure it serves all of their needs and supports all of their missions, without repeating or duplicating efforts.
3. Post Breach Intelligence
a.k.a. So exactly how bad is it?
a.k.a. Please somebody tell me anything at alllll
Information Security professionals are used to thinking of security breaches as eventualities rather than possibilities. Incident response plans are considered a basic requirement for a security program, and a major element of every plan is to be able to answer the most pressing post-breach question: how bad is it?
Knowing what data was compromised is essential to understanding which jurisdictions, authorities, and customers are implicated; the legally required timelines for notifications; the potential reputational harm; and how the company can try to own and control the narrative of the event.
The metadata classification, file analysis, record plan auditing, data mapping, and indexing that take place as part of a mature Information Governance program all serve as extremely valuable, independent references to understand quickly what was impacted in a breach, even if the compromised system itself is locked down or missing, preventing reactive analysis.
4. Amplification of Training and Awareness
a.k.a. Security awareness strike force
a.k.a. They’re gonna get schooled
For years, one of the most serious risks to information security has been the employees of company, who can cause breaches either through negligence or malintent. One of the cheapest and most effective measures to prevent a breach is comprehensive training, both at onboarding and as an ongoing function. Making employees aware of the risks and of best practices can sometimes prevent the worst of attacks.
Information Governance by definition is a horizontal function that joins together Information Security with other functions such as Privacy, Records Management, IT, and Legal. Every one of those groups also has important messages to communicate to all employees that require compliance and participation from everyone to accomplish their goals.
If all those groups pursued independent training and awareness programs, employees would be inundated with information and likely be turned off to the constant PSAs. By partnering together and planning cohesively, employee awareness can be consolidated into a single message regarding what the company expects of its employees with respect to its information and assets. Not only will employees be more willing to listen, but you will have allies to amplify the Info Sec message across the enterprise.
5. Budget Efficiency
a.k.a. More is better than less
a.k.a. Let’s get someone else to pay for it
Another major benefit that Information Governance brings through cross-department cooperation is budget alignment. Even tools that traditionally are thought of as being useful only to the Info Sec team, (e.g., DLP, permission auditing, and behavioral analytics software) have utility to other groups as well. All three types of software mentioned above are designed to make sure the wrong information doesn’t end up in the wrong person’s hands, but they can also play a part in making sure the right information is in the right person’s hands. Ensuring information availability and optimizing the accessibility of valuable information assets is a key tenet of Information Governance, and budgets align more often than one would think when problems are studied holistically.
More obvious synergies exist when considering information classification technologies, training platforms, and document management technologies. When you combine priorities from all stakeholders, you can more efficiently purchase technology and establish processes.
Information Governance is not a discreet function, but rather one dedicated to ensuring vertical silos in the company become interconnected and complementary. A comprehensive Information Governance solution can assist Information Security in better performing its function, and with real buy-in from Information Security, the synergies become apparent quickly.