A version of this post originally appeared on the CMSWire blog.
The idea of getting strategic around information is hardly new.
Records managers, IT enterprise content management (ECM) owners, information governance professionals, e-discovery owners—literally everyone involved in managing unstructured content wants to stop being tactical and “get strategic” these days. So it's not surprising that information security professionals would join the fray.
But for a number of critical reasons, I contend that it’s the information security professionals who are better placed to help their organizations realize the benefits of improved information management—if they can get strategic about how they do their jobs.
So how do information security professionals get strategic about their jobs?
Without consensus that you can manage information to address enterprise risk, you’re dead in the water. So the first thing you need to do is secure agreement across the enterprise that Information Security can purge redundant, obsolete, and transitory (ROT) data, can take control of orphaned data (i.e. data that's been untouched for X years), can purge junk data (e.g. iTunes libraries, backed-up hard drives, etc.), and can remediate access to sensitive data—all within the overall framework of records management compliance and e-discovery.
Without agreement on these matters, all you can do is protect the borders—try to keep bad actors out by building a stronger moat—an endeavor which seems considerably less possible since the breaches at Target, Home Depot, Anthem and CHS.
Get Your House in Order
The question of a breach is not if but when, so when you ignore behind-the-firewall information lifecycle management, you do so at your peril. What sensitive data you have and where it's located is as important, if not more important, than how well you secure the perimeter to keep bad actors out.
The difference between a Target and Home Depot breach is in: 1) how well you’ve managed the data lifecycle leading up to the breach and 2) what policies and procedures you have in place to govern how business users work with content and data day to day.
Deliver Business Value
No doubt about it, CISOs keep CXOs out of jail, and most of the time, those same CXOs are willing to pay for that service. But if you can’t deliver more than that over the long haul, you’ll face increasing resistance as other, more positive business initiatives compete for leadership attention and funding.
Find other sources of business value for your information security efforts—e.g. operational efficiencies gained through reduced volume of “junk” content, or reduced application costs through decommissioning legacy apps.
No Orange Jumpsuits
At the end of the day, the strong mandate most information security leaders enjoy has everything to do with keeping their bosses out of orange jumpsuits. So whatever information governance or compliance initiatives you might be passionate about, know that your leadership is passionate about not winding up in jail—or at least not winding up in front of the Department of Justice, the state legislature, or other high-profile commissions who will call them out on any number of reasonable decisions that, in the light of day, seem less than reasonable.
Never forget who ultimately pays your bills and supports your efforts.
It Tolls for Thee
If you’re a traditional information management professional, this post should give you pause. After all, you’ve had the conch shell for at least 10 years, and yet, more often than not, you still struggle to realize business value beyond the very basics delivered by information management.
So it’s now time to put up or shut up: You own information management; what are you going to do with it?
The Final Word
Although there isn't a one-size-fits-all solution out there, hopefully this post gives you enough raw materials to make progress against your plans back at your desks. And if you’re a more tactical CISO (e.g. have a strong IT development background, or come out of corporate compliance) rather than a more strategic CISO (e.g. come out of the business), hopefully this post gives you some sense of what’s going to be expected of you in the brave new world where information security and information management converge.