Chuck's Blog

A Perspective

It's hard to talk about any aspect of information security at a "business enablement" level in an IT setting. 

So much of the thinking is around finding and protecting against various forms of IT risk.  In that sense it joins other IT disciplines such as backup, high availability, etc. as "things we do to avoid bad things from happening".

But information security usually ends up crossing the line from the data center to the board room.  Some IT leaders welcome the opportunity to engage at this level; others understandably avoid it.

At its core, good information security involves three aspects: good governance, good policy and good compliance.  Governance evaluates the risk portfolio and sets policy.  The policy turns into processes (usually enabled by technology).  And the effectiveness of the processes in achieving the stated goals is reported back as compliance.

Part of a good governance model is recognizing new forms of risk that matter so they can be fed into the machine -- what kind of risk, how much of a risk, is this something that we need to set policy on, etc. etc. 

And that's exactly what this paper does -- highlight a potentially under-appreciated form of information risk in many corporate settings.

The Additional Focus

So much of the thinking today is preventing bad things from inadvertently happening -- customer records getting disclosed, for example.  Or maybe fend off one sort of penetration attack or another from places unknown.

But what about individuals motivated by profit?  People who specifically want to target high-value information and steal it for economic gain?

Targeting credit-card information is perhaps the most recent public example we might be aware of, but the paper makes the case that this sort of economic targeting is far more frequent -- and far more costly -- than we might realize.

Think of customer lists.  Source code and algorithms. Financial models.  M&A plans.  Internal business processes and formulas. Pending patent applications.  Internal brainstorming sessions.  It can be quite a list.

Anything that a company can claim as "secret sauce" is usually recorded as information in some form, and thus increasingly subject to this sort of theft.

So, if you're reading this, make a quick mental list of the sorts of information your company might consider secret sauce.  Is there even such a list?  And then ask yourself -- is it adequately protected against theft?

It's Not A Technology Problem

Since most of us are technologists, we tend to think that the answer to most problems is -- wait for it -- better technology.

I would argue the opposite -- there's more than enough technology in the marketplace from RSA and others to (a) identify valuable forms of information in the environment, (b) drive automated workflows to protect it against theft using a variety of means, (c) track and analyze how and where the information is being used, and (d) report back on the effectiveness of the activity.

Could the technology be better?  That's always the case -- but it's sufficient for many use cases. 

Why do I say this?  Because I know of many companies who have included "corporate secrets" in their information governance thinking, and deployed technology (usually from RSA) that effectively does this today.

Learning To Manage Information Like Money

One of my older themes is that we're in the midst of a transition in learning to think of information as money, rather than simply as 1s and 0s.

We wouldn't leave a $1m pile of gold bullion sitting out in the open with no one watching.  Why would we leave $1m of corporate secrets in a similar state?

Within organizations, financial governance is a well understood set of practices and expectations.  I believe that we're traveling down the same road with respect to information governance.

And this paper just provides a bit more context as to how big -- and important -- the topic is becoming.