This article was originally published on Linkedin on  August 5, 2015 @ https://www.linkedin.com/pulse/why-information-security-may-constraining-business-alexander/

The Information security function is first and foremost an information management discipline. Its main focus as we all aware is around the protection of information with particular emphasis on its confidentiality, integrity and availability.

This is all well and good provided there is “ceteris paribus” i.e. all other things being equal.

Wikipedia defines Information management as “…. a cycle of organisational activity: the acquisition of information from one or more sources, the custodianship and the distribution of that information to those who need it, and its ultimate disposition through archiving or deletion”

It is not difficult to see why we are where we are today because

• Information and data is acquired using technology;
• Information and data is held/stored and distributed using technology;
• Information and data is disposed of or archived with technology;

Alas, technology is everywhere and it is information and data agnostic. This explains why the information security function in most organisations are technology and controls focused, it doesn’t explain why there’s seemingly no accountability/ownership for information management or governance.

Sure there are “data owners” in some organisations but more often than not it is seen as a title, there are no clear definition/description of what it means or what these people are supposed to do, nor are there adequate guidance to help them fulfil this responsibility.

A lot of resources have and still are being poured into “technology security” in the name of information security but it doesn’t make our information any more secure judging by the number of cases of high profile data breaches reported in the media every year. Is it not time for us to look critically at how we are currently do things and get creative. I absolutely agree with Bruce Schneier - the famous American security guru of counterpane fame when he said “If you think technology can solve your security or privacy problems then you don’t understand the problems and you don’t understand the technology.”

Information security is the most visible stakeholder (among several) in the cycle of information management/governance. It is grossly unfair to dump far reaching information and data management/governance decisions on the function without equipping it with the full facts around all the attributes of the information or data. This in my view is the crux of the matter!!! This leads the poor security managers and analysts scratching around for business criteria against which to make his decisions, he is then accused of constraining the business. This is where we get the famous line “security concerns” of course it’s a concern! However it should not be so-called but rather called business governance concerns.

Corporate governance must assign the accountability for information management and governance, who must be charged with the responsibility of defining the attributes and framework around corporate information and data management. This is “top down” as opposed to “bottom up” governance approach where rules and standards are defined beforehand, to assist everyone involved in the information management chain to fulfil their responsibility.

Therefore, organisations must assign accountability for governance of IM; within the existing models this could either go to the CIO or the Legal counsel. The CIO or legal counsel can then assign this to either a new role or their CISO, who can then further recruit a specialist non-technical resource to manage the challenge. This resource will liaise with all business unit owners and stakeholders that capture, process and use business information and data. This position will not only collate information/data attributes but also share it with other stakeholders within the business that may require it for their function.

This initial level is that of oversight and coordination, it is not for them to own and define the information attribute for all of the business.

No-one except business unit managers know or should know the attributes of the information or data handled by their team. They should have the accountability for defining the attributes of all the data they handle, which they can then share with the coordinator.

There is a huge amount of value in information, efficiencies to be had as well as improvements to information and data security. New innovation such as cloud, mobility, business process improvement cannot be fully explored without a full understanding of the ramifications to the information/data that will be processed through it. Information management/governance of information/data is a foundational requirement on top of which all else is based.

To my security professional colleagues my advice is for them to get their mojo back, engage and challenge the business, project sponsors and senior managers and stop shying away into the corner for fear of being seen as difficult. You are probably already being seen as that. Guard your credibility and integrity. What have you got to lose!