Many public-sector institutions and large commercial enterprises lack a holistic strategy to curate the lifecycle and manage the organizational use of their most important asset: information. Despite the explosive growth of data and pervasiveness in our personal lives and our business operations, managing information systematically and consistently - based on its value, risk and cost profile - is an uncommon practice.
Most organizations lack adequate oversight and control over the veracity, provenance and volume of their information assets. For example, the unnecessary duplication of data is common practice. Operating under the specter of legal liabilities and compliance issues, organizations store their information assets well past their useful life. Few resources are assigned to holistically align and strategically administer information lifecycle management objectives and the relationships between them. These gaps create operational issues, additional cost, an increase in the attack surface and greater exposure to a cyber event, and most importantly lost opportunities to assign and derive business value from information assets.
Most organizations have a Chief Information Security Officer (CISO), Records and Information Management executive, enterprise architect, solutions architect and many others who can be considered information stewards. In most instances, these information stewards are sprinkled throughout the organization, are isolated from each other, have disparate or even diverging objectives, and don’t have adequate visibility into – or understanding of – the aggregate goals and objectives of the organization.
The CISOs are generally overwhelmed in their role to uphold the principles of data protection and access control while the business wants to move more quickly and reduce cost. In theory, the CISO should view information assets through the prism of confidentiality, integrity and availability. However, their actual knowledge of the integrity of their assets is negligible; and asset availability is generally addressed through access control and system uptime. The CISO is challenged to protect structured data that can be easily identified but largely remains illequipped to be a true strategic partner to the C-suite. To do this, they need to understand the reason the data exists, to more holistically identify and classify data, broaden their risk focus to include information and technology risk and understand the holistic control frameworks and corresponding controls that need to be in place to both protect and maximize the value of data.
The Records and Information Management executive fights an increasingly difficult battle to ensure the organization’s information assets are created and cataloged in a coherent and risk-aware manner, and the assets are retained or deleted per schedule. Legacy infrastructures and growing volume of information assets significantly limits the effectiveness of this well-intentioned role, and they are usually removed from the daily business operations and layered within a legal or compliance function. The incumbent rarely has a voice that reaches the C-suite and the actual operational exposure is largely overlooked in most risk taxonomies and management frameworks.
Couple the disparate objectives above with legacy architecture and infrastructure and the need for “speed to market”, this problem will increase exponentially as we create and capture exploding volumes of information. From financial transactions to digitized self, from content distribution to networked devices; Moore’s Law will seem linear a decade from now.
So, where does the CIO focus to break down these silos and achieve value driven information stewardship?
Holistic governance across your information assets is a logical and achievable first step. At minimum, the information stewards need to align objectives and ensure timely interactions using a common vocabulary which transcends to the CIO and senior business executives. A defined and sustained interaction between these stakeholders is necessary to determine and understand what “stewardship” of information entails, the associated risks and subsequent value. The current approach; sequential service-by-service integration, unnecessarily exposes the technical implementation to risks resulting from isolated and segmented data resources and connections.
Another option is to recast the role of CISO to Chief Information Risk Officer (CIRO) to ensure a broader awareness and alignment of information risk responsibilities. The existing CISO role is so acutely focused on data protection principles that they are generally unaware of the treatment of information assets throughout the lifecycle. However, they need to be aware that their attack surface is growing rapidly as more data is consumed, not properly inventoried and classified to ensure application of controls, and rarely deleted. The CIRO role can align the appropriate information steward responsibilities under their direction and serve to break down the information siloes that simultaneously dampen innovation and inflate the threat surface.
Aligning objectives and reconsidering information lifecycle management from a broader information risk perspective represents an opportunity break down the silos and develop value driven information. Instead of asking what data is required by function, the CIO could ask what function is enabled by data, a collateral benefit of this paradigm.