The Expanding Role of Information Security in Information Governance

The Information Security discipline is undergoing a rapid and profound shift. It is expanding its focus from defending the borders from bad actors to include risk-mitigation practices so that when the inevitable breach happens, the organization can make sure its data contains as little damaging information as possible and its response processes and procedures are world class.

The Future-state CISO

A primary objective of the CISO in this new environment is to identify and secure sensitive data. Sensitive data includes protected health information (PHI), personally identifiable information (PII), and intellectual property (IP). Another concern of the CISO is “junk” data. This includes the so-called ROT—redundant, obsolete, and transitory data. This is important because the more junk an organization has on its systems, the more difficult it is to manage the important data. Given these general objectives, what will day-to-day responsibility for information management likely entail within Information Security? There are seven areas that any Information Security function or CISO will have to address:

  • Compliance Framework

  • Policy Infrastructure

  • Data Map

  • Disposition Protocols

  • Cleanup

  • Monitoring

  • Prevention

A Real-world Plan of Action

To fulfill these new responsibilities a CISO must be willing to do things differently than they do today. Here are some recommendations for how CISOs can change.

  • Assess the organizational functions which have responsibility for information management-related compliance at your organization.

  • Determine what policies and processes are required for information security to effectively manage corporate data.

  • Inventory sensitive data and ROT and identify ownership.

  • Gain consensus on how to remediate sensitive data and ROT.

  • Implement technology to remediate.

  • Monitor ongoing behavior to identify areas where the organization is exposed to the greatest risk.

  • Determine how to prevent end users from engaging in sub-optimal information management behaviors, while not unduly constraining the business effectiveness of those users.

Want to learn more? Download the white paper for further detail.

We've covered the basics in this post, but you can download our white paper for comprehensive details on how CISOs and other security professionals can tackle the expanding responsibilities for information governance.

Download the Transforming Information Security with Information Management White Paper

Rich Medina
Doculabs consultants offer in-depth expertise in information management and information security across a number of industries, including financial services, insurance, energy, manufacturing, and life sciences. Our recommendations are based on our experience and empirical data from hundreds of consulting engagements over more than 25 years. As trusted advisors, we provide our clients recommendations that are completely objective.