Organisations depend on information to operate, thrive and prosper and the information itself is increasingly the core of the business.
Information needs to be treated as the operating capital of a modern organisation - information is the currency of the 21st century. People likely would not treat money with the same disregard that they treat data. Taking care to look after property that is not your own is called stewardship - what is needed is better information stewardship.
Information stewardship is not a new term; it has been in use since the 1990s and covers the wide range of challenges involved in managing information as a key organisational asset. These include the management of the whole information lifecycle from ownership to deletion, as well as aspects such as business value, data architecture, information quality, compliance and security.
Information stewardship uses good governance techniques to implement information-centric security and it involves the business, as well as the IT services group. Lines of business managers, application owners and everyone who touches information are involved as well as the IT service providers.
It creates a culture where the people in the organisation understand the sensitivity of information and the ways in which this information can be put at risk. It applies best practices and uses the most appropriate technologies to protect information.
It makes sure that the organisation is resilient to loss of data by protecting information against that eventuality and, when the seemingly inevitable leakage/loss occurs, information stewardship provides the resilience necessary to mitigate the damage and restore both the information as well as the trust of users.
Human behaviour is one of the key factors to achieving information stewardship. Many factors drive the way people behave and it is a challenge for management to ensure that these are taken into account. Within all organisations, the people have attitudes toward the security of information. The task is to align these attitudes with the needs of the business and how different kinds of information need to be handled.
A guide from ISACA, titled ‘Creating a Culture of Security',' explains how enterprises can put one in place. According to this guide, management needs to show leadership; however, creating a culture is not simply a serial process; it requires intentional shaping and direction in a number of dimensions:
Changing the perception of security - Security is often seen as a negative thing; something that prevents actions without there being a clear understanding of the risk or the benefits. What is needed is a positive image for security as an enabler. One of the key activities in changing perception is through an internal marketing campaign to rebrand information security in a positive way.
Creating information stewardship ‘champions' - People within the organisation who are respected by their co-workers because of their role or their track record are needed to champion information stewardship.
Education, teaching and mentoring - The value of information should be clearly communicated. This should be supported by clear information security guidance (e.g. policies) and training on how to apply them.
Rewards and sanctions - Everyone should be able to see that information security is practiced in daily operations. There is visible management support for information security and there are clear sanctions against people who deliberately flout the rules.
It is important to assign responsibility for creating this information stewardship culture. For example, it could be a specific role or an additional responsibility of the chief information security officer (CISO). However, for this role to be successful, it needs marketing and change management skills as much as it needs traditional security skills.
The key to preventing data loss and leakage is to get people to treat information with the same respect as they would money. This requires a change in attitudes and culture. Everyone who touches information or data has a stewardship responsibility for how they handle it.
This personal responsibility cannot simply be taken over by technology or the IT department. It needs to be reflected in policies, job descriptions and implemented through training.
Mike Small is a member of the London Chapter of the ISACA Security Advisory Group, a fellow of the BCS, and an analyst at KuppingerCole