Using Information Management to Improve Information Security: Lead by Example

Recently, I’ve seen too many instances where an organization’s corporate culture runs counter to the goals its corporate leadership have defined for how information is to be managed. It’s a case of leaders not practicing what they preach, and a critical  inconsistency that ultimately has clear consequences for information security.

As an analogy, consider an example from occupational health and safety. Factories have safety rules—documented safety rules. Safety regulations are critical for the health and well-being of workers, and for overall productivity. But what happens if a manager or executive doesn’t follow the rules? What if a leader, for instance, doesn’t bother to wear a hardhat or safety glasses out on the factory floor?

I’d argue that when it comes to information management, it’s just like occupational health and safety: It’s critical to lead by example.

That means things like not hoarding information beyond its regulatory or business use life. Not keeping transient data longer than policies dictate (2 years, at most organizations I’ve worked with). And when it comes to “orphaned” versions of information, it means identifying and assigning a data owner—or if that’s not possible,  purging that information.

These are all pretty standard kinds of policies that should be practiced for effective information management leadership. But all too often in a Doculabs consulting engagement, when I talk with a company’s “rank-and-file” employees, I hear that policies like these not being practiced—at any level in the organization. The result is shared drives and content repositories loaded with content that’s no longer accessed—or even needed.

Information management leadership is good for information security.

How does this relate to information security? Well, when an enterprise gets rid of the stuff that’s not needed, and takes steps to protect its important and sensitive information by placing it under appropriately secure management, it minimizes its information risk surface and can better protect itself.  The organizations that are most focused on minimizing their information risk surface use effective governance when they structure information management policies and procedures and when they decide data how will be stored and made searchable. It’s then incumbent on executives, as well as managers of individual business units, to lead by example. “Do as I do,” in other words.

So how do you go about changing your information management strategy so that it better serves your organization’s information security needs?

Improve information security by following the basics of a strong information management strategy.

  1. First, look at the growth in data volume, the type of data you’re working with, and how you’re storing that data. If your organization’s structured and unstructured data environment is growing at a rate of more than 20 percent annually, it’s likely you need to focus on some sort of cleanup effort.  If an organization is seeing high growth rates in its information volume, the chances are it also has hundreds of categories in its retention schedule, a situation which is probably proving too overwhelming for non-information management types of employees to manage.
  2. Second, establish a solid foundation of policies, procedures, and standards, along with guidelines to deal with old, outdated or orphaned information. If your existing policies don’t address all of the areas where information can “hide” (e.g. if there are too many exceptions—e.g. mobile devices or non-approved storage platforms like Box or Dropbox), you probably need a new approach to addressing these exceptions. Remember, exceptions can be okay; you just need a policy and approval process that helps you understand why they’re required. A good governance system can help can account for exceptions—or help business users better understand the solutions that IT and the Information Management team have available.
  3. Finally, make sure you lead by example, and communicate often with those people out in the trenches—the business users who regularly work with the data and information. Effective leadership in this realm is critical. Imagine that you have a pile of documents, mixed up with junk. Buried in there is sensitive information—possibly even documentation of the “secret sauce” that distinguishes your company and allows your employees to get their work done. Governance is about getting rid of the junk, and then working to protect the important stuff. Communication gets everyone on board with why you’re doing it.

Be strategic with your communication.

Effective and frequent communication from key executives and managers is critical. And that communication should be based on leading by example. It starts at the top:

  • No more hoarding of documents on the departmental shared drive.
  • No more keeping outdated information or duplicate documents indefinitely, “just in case.”
  • And no more “orphans,” either.

I remember in a prior job when the memo came down sanctioning casual clothing in our workplace. I no longer had to wear a jacket and tie. It definitely took me awhile to adjust. But when my boss – and the CEO – showed up in (admittedly rather smart) jeans and loafers, I knew it was okay to “dress down.”

That top-down example setting is important for any organization that wants to adopt—and adapt—to changes.

In the end, though, what you need is an approach that integrates your strategies for information management and information security—and Doculabs offers a range of services to help you do this. For more information on Doculabs’ InfoSec services, click here.  We’d be happy to discuss how we can help you implementing that kind of approach at your own organization—and with the change management to make it work effectively in your corporate culture.

Rich Medina
Jim Polka
I’m a Principal Consultant. My expertise is in security-based information management and strategic deployment of ECM technologies.