Log In

News from the IGI

Information Security & Information Governance – how they work together

By Richard Kilpatrick - Information Technology & Services

Richard Kilpatrick is a highly experienced consultant in information technology, focusing on realistic data governance, security and privacy.  Richard has led programs of work to discover and classify data across multiple business units, within banks, telcos, health and media. In this Information Governance ANZ article, he outlines the difference between Information Security and Information Governance, explaining why IG frameworks are essential for the successful orchestration of specialized security systems.

Information (data) security, cybersecurity and IT security all usually refer to the protection of computer systems and information assets by suitable controls, such as policies, processes, procedures, organizational structures and software and hardware functions. The type and extent of controls depends on the scope and maturity of the business function (usually the Security Department) applying the controls, or, depends on the specialization/focus of the team, such as Perimeter/Firewall or Identity Management. Each function tends to have a different perspective of information security, compared to other functions, due to their focused specialization.

A close parallel is the health profession. You see a GP doctor when unwell, and are referred to a specialist who knows much more than your GP about a particular field of expertise. I know that my GP would not want to perform open heart surgery at all. And equally, a heart specialist would not have up-to-date and practical knowledge of all areas of the body. Tinea treatment? – see somebody else please.

In other words, people specialize in a particular aspect of their work. You can’t be an expert in everything. People prioritize – for example, in busy times, a SysOp will not be as vigilant with security when their primary role is to keep the sales /finance system up and running for all users. This is exactly how Information Security Systems operate.

To read the rest of 'Information Security & Information Governance – how they work together' head over to the original article on Information Governance ANZ.

 

Download Our Newest Comprehensive Case Study on Les Schwab

As part of the IGI’s ongoing work to help professionalize and promote information governance (IG) we have the opportunity to see how hundreds of different organizations approach IG. Although every organization’s IG challenge is unique there are actually more similarities than differences in IG problems and their solutions.

By looking at one organization’s experience with IG in detail, we can learn valuable lessons and gain practical insights that will help all IG professionals mature their IG programs.

This case study reveals a typical but complex IG problem: managing the relationships among key IG players, including:

  1.  Outside law firms that play a central role in approving, blocking, and/or advising on key IG decisions (like information retention and preservation).
  2. IG technology vendors that supply the necessary capabilities to understand and take action on your information.
  3. IT departments that actually have their hands on the dials and levers of the systems that house and control your information.
  4. Business stakeholders like department heads who will be directly affected by the policy and technology choices you make.
  5. Risk-focused departments like legal and audit that own key IG decisions.

IG projects require tight alignment and coordination amongst these groups. However, given that these groups often have differing levels of interest, expertise, and even competing goals, this dynamic often derails otherwise well-designed and executed initiatives.

The key to navigating this dynamic is establishing clarity about the role of each stakeholder – especially about each player's mandate and level of authority. Again and again we see nobody taking IG decision-making authority unless it is clearly given to him or her – often simply out of a desire to avoid conflict and to get along with colleagues. Given the relative immaturity of IG, the owner of this authority is often unclear.

As we will see in this case study, Les Schwab found a way to work closely with these stakeholders, and in particular establish a close and fruitful relationship with an outside law firm that not only accelerated its project, but also helped to increase its positive impact on the organization.

Click here to access the case study in the IGI Community.

 

Download Our Newest Deep Dive Case Study on Pandora Media

How Pandora Tuned In to Information Governance
To Take Control of Its Most Sensitive and Valuable Information Assets

An IGI Case Study

Usually when we think "Information Governance," we think traditional, large, litigated and regulated organizations. But as more and more organizations come to understand the value of IG, this image is rapidly changing. Recently, Pandora Media — a juggernaut in the streaming music business — partnered with IGI Supporter Active Navigation and its experts in governance and file analysis on a major IG project. We were fortunate enough to be able to do a deep dive on this project and bring the details to you.

Download the latest entry in our IG At Work series to learn:

  • How Pandora got rid of 60 percent of its unstructured data.
  • What it took for the company to identify and protect its most valuable and sensitive data. 
  • How Pandora developed policies for governing unstructured information.
  • How Pandora built executive support for IG. 
  • How Pandora used file analysis software to reach its IG goals.
  • How Pandora was able to sell the merits of IG to its employees.

The company that emerged on the other side of this critical IG project was more efficient, more versatile and more competitive. And their IG program only continues to grow in its sophistication and impact.

Click here to access the case study in the IGI Community.

 

3 Critical Qualities of Resilient Information Leaders

“Resilience” has become a buzzword, as all seemingly simple and intuitive psychological concepts do once they penetrate our public (and commercial) consciousness. The current buzz around resilience, whether applied to the environmentcompanies, or children, originated in the field of psychology with researchers trying to determine what makes one person seemingly bulletproof while another, who appears to have every emotional advantage, crumbles when faced with minor adversity. Resilience even has its own counter-buzz, signaling that it has conclusively reached memetic status.

Studies of resilience focus on how we respond to both “environmental” threats—problems that are chronic and less intense but no less difficult—as well as “acute” threats that cause shorter bursts of intense adversity or trauma.

Information leaders face both types of adversity. “House on fire” emergencies like lawsuits, investigations, and cybersecurity breaches represent acute, intense threats that can be all consuming but relatively short in duration. Information leaders also face chronic adversity and threat, often in the form of problems that continue to emerge and reemerge—including long-term efforts to build and enforce an information governance program; evaluating, purchasing, and implementing enterprise software; or guiding a years-long change management program, to name a few.

What Builds Resilience?

Norman Garmezy was a pioneer in the study of psychological resilience. His critical insight was that studying successful people could yield insights not likely to come from studying failure (the common approach at the time). His research led to the identification of several “protective factors” that resilient people have.

Not surprisingly, this research also found that pure luck is a big factor. Some people with an otherwise tough life find a great mentor, bond with an emotionally mature caregiver, find easy financial success, and so on. Others have no luck other than bad luck and it simply overwhelms them no matter what their other qualities.

Luck is no small factor in the lives of information leaders. Sometimes the server just blows up. Sometimes a crucial staff member falls ill or leaves. Management priorities change. Sometimes “mistakes are made,” and there is nothing that anyone could have done to anticipate or prevent them. Recognizing bad luck and not feeling responsible for it or allowing it to drive magical thinking about being “cursed” is a key “protective factor” exhibited by resilient people generally and resilient information leaders specifically.

All resilient people have common qualities. At the Information Governance Initiative, through our research and experience working with IG professionals—including those leading incredibly stressful projects like e-discovery in “bet-the-company” litigation and security breaches—we have learned that resilient information leaders also share many common qualities.

Here are three of those qualities. Join our webinar where we will reveal more details about these and the other six habits that resilient e-discovery leaders share. The 9 Habits of Resilient e-Discovery Leaders webinar is hosted by EDRM.

1. They don’t try to be heroes.

In the face of acute adversity, resilient e-discovery and information governance leaders avoid the misguided sense of heroism that is often associated with focusing on a crisis to the exclusion of everything else. American business in particular has canonized and internalized the image of the cowboy: the rugged individual with a complete absence of emotional need, a singular focus on getting the job done no matter what, and a superhuman ability to do it all himself. The lie of this myth is born out in study after study showing stress levels going up and productivity, health, and job satisfaction levels going down in workplaces that implicitly encourage, and explicitly reward, this behavior.

Neglecting personal relationships and sacrificing wellbeing by eating poorly and shirking exercise have real consequences over the long term—something that resilient information leaders recognize and incorporate into their working life, even when “the house is on fire."

Although times of crisis may demand periods of extreme intensity and long hours, they are not sustainable; nor, in most cases, is the damage of trying to sustain this posture—anxiety, insomnia, elevated cholesterol, depression—worth the reward.

2. They play to their strengths—and acknowledge their weaknesses.

Resilient people do not need to be gifted people. In fact, research from developmental psychologist Emmy Werner has shown that a more reliable predictor of resilience is the ability to put your skills to work effectively. For an information professional in the early part of your career, this means learning what your real strengths and weaknesses are, and seeking roles that play to your strengths and minimize opportunities for your weaknesses to limit you. This does not mean avoiding new challenges—in fact, a predictable quality of resilient people is that they seek out new experiences and challenges. However, it does mean understanding your strengths and seeking ways to learn about, identify, and apply them at their full potential.

For information leaders in mid-career and beyond, this also means having the wisdom to supplement your weaknesses by delegating, building a team that complements each other, and hiring deputies who have the strengths you lack but are necessary for e-discovery success. For example, if you have a deep technical understanding but are terrible at putting together a project plan, seek out those who are amazing project managers.

3. They don’t grant failure undue power.

Fulfilling our potential as people, and as information leaders, is dependent upon our ability to absorb, bounce back from, and learn from mistakes and failures. One of the most powerful predictors of resilience is how we perceive potentially traumatic events. In fact, how you view an event, like a stressful and scary e-discovery demand, actually determines whether or not it is in fact ultimately traumatic.

The research gets even more fascinating, clearly showing that exposure to events that could be very traumatic does not actually predict how well a person will function in the future. Rather, the most reliable predictor is the way that person views, or “construes,” an event. This does not mean that we must be Pollyannas or deify the “power of positive thinking,” but it does demonstrate the objective effect that our response to difficult events actually has on whether or not we are traumatized by them. The best news is that the ability to construe potentially painful events in a way that minimizes their harm can actually be taught and learned—with practice and a lot of patience.

Our ability to bear adversity in both our personal and working lives is ultimately simple math: i.e., is the depth of the adversity greater than our resilience? Everyone has a breaking point. Highly resilient people have a higher breaking point. It is important, and I believe uplifting, to realize that these qualities can in large measure be learned. One powerful learning technique is modeling people we aspire to be like, and in the information governance community we are we are fortunate to have so many great e-discovery leaders who we can learn from as true models of resilience.

 

Presidential Tweets and Self-Destructing Messages Under the Records Laws: The New Normal

Washington, D.C. of counsel Jason R. Baron published an article in Bloomberg Law titled “Presidential Tweets and Self-Destructing Messages Under the Records Laws: The New Normal.”

Jason discusses the recordkeeping challenges and legal developments that result from presidential tweets and other forms of communications used by White House personnel in the Trump administration.

Jason also notes that these legal developments raise a number of information governance issues that have direct applicability to private sector institutes.

Read "Presidential Tweets and Self-Destructing Messages Under the Records Laws: The New Normal."

 

How the General Counsel Can Shape Information Governance

Jake Frazier – Senior Managing Director, FTI Consulting & Sonia Cheng – Senior Director, FTI Consulting
As seen on ethicalboardroom.com

 

Information governance is often thought about in the context of IT efficiency, data security and regulatory compliance. While it is true that these are the most critical drivers for executing data governance programmes, there is an equally important factor that deeply resonates with a corporation’s board and C-suite: reputational risk.

Just as trust is a key and fragile pillar for relationships in our personal lives, it is essential – among shareholders, clients, customers and employees – for a business to thrive. Ultimately, top company leadership is responsible for managing reputational risk and ensuring that the overall direction of the company will uphold trust in the brand.

As we’ve seen countless times, failure to handle data properly often results in damaging data breaches, which beyond legal and compliance violations, break trust and allow doubt to become part of a company’s image. Thus, it is critical that the board views information governance (IG) as being about compliance and legal risk, as it must be, but also as an effort to instil a high standard for ethics and privacy into the company’s culture. By embracing this mindset, a corporation’s leadership can set the correct tone from the top down, building advocacy for actionable programmes that ensure safe and responsible handling of sensitive data, as well as strong compliance and efficiency.

“BECAUSE THE GENERAL COUNSEL HAS HISTORICALLY BEEN THE GO-TO STAKEHOLDER FOR DEALING WITH HIGHLY SENSITIVE ISSUES… THE CORPORATE LEGAL TEAM IS UNIQUELY POSITIONED TO LEAD THE CHARGE TOWARDS PROACTIVE DATA GOVERNANCE”

Because the general counsel (GC) has historically been the go-to stakeholder for dealing with highly sensitive issues – primarily for litigation and investigations – the corporate legal team is uniquely positioned to lead the charge towards proactive data governance. Given this fact, the issue of ethical obligation comes into play. In the US, federal and state laws require companies to implement reasonable security protections to safeguard personal data. There is a wide range of similar requirements around the world.

Beyond the duty to disclose, legal teams also have an ethical obligation to maintain a level of technical knowledge. In Day v. LSI Corp., in-house counsel was sanctioned for failing to document and supervise the discovery collection process and for allowing the company’s document retention policy to be ignored. In the context of IG, this is important, as legal teams must have a clear understanding about data sources and retention practices, the impact of how they choose to handle electronically stored information, and accuracy of how facts are represented to regulators, opposing parties and the courts. Ultimately, these points illustrate the fact that ethical obligations cannot be overlooked when considering the GC’s role in IG efforts.

Click here to continue reading about the top issues for 2017...