Lawyers, Auditors, Clients and Data, oh my!
Peter de Jager is a provocative Speaker,
Writer and Consultant. His primary focus in on how we manage change,
technology and the future. In addition to speaking at conferences
worldwide, he also writes monthly columns for CIO Magazine and
Computerworld Canada and the ABA Bankers Journal. His goal is always to question what we
think is so, and in so doing perhaps open up new opportunities. If you'd like permission to reprint any
of Peter's articles, please contact him directly. You can contact him at Or sign the Guest
Book and he'll get back to you.
Peter de Jager is a provocative Speaker, Writer and Consultant. His primary focus in on how we manage change, technology and the future.
In addition to speaking at conferences worldwide, he also writes monthly columns for CIO Magazine and Computerworld Canada and the ABA Bankers Journal.
His goal is always to question what we think is so, and in so doing perhaps open up new opportunities.
If you'd like permission to reprint any of Peter's articles, please contact him directly.
You can contact him at
Or sign the Guest Book and he'll get back to you.
If you can encrypt data, someone can decrypt it. If they can’t decrypt it themselves because of some temporary technological constraint, then they’ll make someone, somewhere, an offer they can’t refuse. If ‘they’ want access badly enough - they can gain it. Somehow. Count on it.
If this were ‘just’ a matter of developing the right technology, then we could all breath easier and state (naively) that someday, we’d find the right solution to keep our secrets secret. Unfortunately, it isn’t just a technology problem. Security is mostly a people problem, and therefore we can’t ever solve it. People are always the weakest links in any chain protecting your data.
Now what? If we can’t protect our data (and to be very repetitious... we can’t), then how do we conduct business? The answer isn’t to stop using technology. That would make data less, not more, secure. One answer is to match the sensitivity of data against the available levels of security.
The objective is to make the level of effort necessary to break in, commensurate with the size of the prize. Gaining access to a list credit card numbers should be significantly more difficult than reading interoffice e-mail.
This assumes of course, there are some standards as to what employees can place in an e-mail. One need only read the newspapers to see how many companies are hauled on the carpet because of things placed in e-mail trash cans.
Quickly now, list and define, the levels of sensitivity assigned to your corporate data, and the corresponding levels of security, which protect those data categories from unauthorized access. (A correct answer will contribute up to 100 points, towards your next performance evaluation.)
Setting the levels of data sensitivity isn’t the responsibility of the IT department. This is a decision for auditors, lawyers and upper management to decide. Not every bit of data falls into the ‘Nobody should ever read this, let’s shred it... and then burn it!’ category.
While this example is at the extreme end of the ‘sensitivity’ spectrum, some information (obviously) demands destruction, therefore we assign it the most secure level of security we can afford. Either that or destroy it.
At the other end of the spectrum, we find information with zero sensitivity. You could publish this information on the front page of a national newspaper with no adverse affects. This data is assigned no security.
It’s the data in middle of the spectrum that causes all the problems. Does e-mail fall into the same sensitivity category as a sales report? A marketing plan? The formula for Coca Cola™ or Viagra? A payroll listing?
Luckily for IT, they’re not (or at least shouldn’t be) responsible for placing all corporate data into the ‘X’ sensitivity categories. This odious task falls to the clients, auditors and corporate legal eagles.
IT has a different type of categorization to perform. Given the existing IT budget and the nature of corporate data, what levels of security can they provide? How will each defined level of security, restrict usage of the data it protects? How must business processes change in order to bring a particular class of data under the protection of a particular security level?
Finally? How will IT educate the clients, auditors, and lawyers as to what each security level provides, what they cost, and how it will change the way the organization manages it’s information. This education is vital. There’s no point in putting data into a particular category if you don’t know EXACTLY what level of security will protect it.
One last note? While the levels of data sensitivity are fairly constant, the security levels require constant re-evaluation. Security is always a race, and ‘they’ keep running when we sleep.
Peter de Jager – Peter is passionate about change, how it affects both
individuals and organizations and allows them to grow and prosper. To contact him, and
host internal seminars on Change Management visit www.technobility.com
For reprint permissions click here.
|Return to Technobility.com|