Information Governance: The "BFF" to the CyberSecurity Program

We tend to associate “cybersecurity” in the modern enterprise with a set of tools and measures that essentially protect the “perimeter” of the organization and the “containers” in which corporate data is stored: firewalls, encryption, anti-virus and malware, web proxies, network and packet monitoring, password management, network and application privileges, multi-factor authentication, etc.

Related activities to test and protect an organization include penetration testing, security audits, risk assessments, and “tabletop” exercises. At the end of the day, all of these tools and methods seek to protect the corporation’s main underlying asset – its data. This data may include current and historical records of the corporation’s operations and business processes, intellectual property, and customer and employee information.

The mission to protect this confidential information leads to an inevitable conclusion: better management of that underlying data is a powerful tool for cybersecurity. And to borrow a quote wrongly attributed to Peter Drucker: “What gets measured gets managed.”

By leveraging technologies and techniques specific to that underlying content, corporations can understand “what’s there” and then manage it, protecting it from cyber risk in the process.

Ways to Apply Governance Techniques to Manage Cyber Risk

The manner which these risks are mitigated can be broadly defined as follows:

• Moving information from unknown locations and purposes into known and managed locations.
• Creating a comprehensive, “evergreen” catalogue of information assets and applications across departments, lines of business, geographical regions, operating companies, and third parties.
• Defensibly disposing of information that is no longer needed for operational, legal, regulatory, or other purposes, including business records that are subject to retention schedules. If it’s not there, it can’t be compromised!
• Gain control over “neglected” categories of data that may pose a security risk, such as:
  • Former employee information – while departing employee hard drives may be wiped per procedure, a significant amount of former employee information may persist in terms of forwarded data, shared folders, email, and other unmanaged media.
  • Legacy systems that may be relatively unsupported but are maintained for reference after a migration
  • Intermediate data repositories from conversions, migrations, testbed environments, development projects, etc.
  • File transfer operations that leave unmanaged artifacts in staging areas
  • Transaction logs and database dumps
  • Extracts from enterprise systems stored in user areas of the network (for example, analysis spreadsheets derived from human resources or accounting systems)
  • Data warehouses or lakes
  • Data inherited through mergers and acquisitions
  • Old log files and backups that have long since expired.
• Classifying information by sensitivity and function (e.g., “public”, “confidential”, “crown jewels”, etc.).
• Effectively manage data held by third parties. Considering the outsourcing of data management away from company control over the last ten years, companies are subject to the security policies of the hosting provider. Companies must apply the same governance and information management controls and minimization practices to hosted data as to on-premises data, especially in that they may lack control over the third party’s cyber practices.
• Identifying confidential and sensitive data, including personal information and intellectual property, and moving it to secure locations.
• Implement actionable retention procedures that are aligned with schedules and policies. As we have seen for the last twenty years, it is far more difficult to dispose of electronic business records at the end of the retention period, and just as hard to eliminate non-business records such as convenience information. All can pose a security risk. Businesses can do far more to assist users in classifying certain emails that contain business records and moving them to managed locations. Further, corporations can recognize the trend away from retention schedules, moving to simplified schedules that enable individual users to better manage his or her information and dispose of unneeded records safely.

Technology that Can Help Get the House in Order

Note that the tools to foster an “information-governed” organization and enforce cybersecurity strategies are themselves converging. No better is represented than in the Microsoft 365 environment, where a common set of tools acts on data stored in the Azure cloud to enable investigation, compliance management, eDiscovery, retention, data loss prevention, and other security controls.

In general, however, a wide variety of software tools have entered the marketplace that bridge the gap between governance and security. These include tools that build inventories of data and applications (both on-premises and in the cloud) and create a shared catalogue.

Note that while existing inventories can be used as starting points, an effective data inventory still requires interaction with the users at a business, departmental, and workgroup level to understand the true nature of the systems used “in the trenches” to get the work done (including “shadow IT”). And because users are inherently fallible as to where data lives in the system, a collection of data discovery has evolved that enable corporations to locate and remediate unknown or unmanaged data inside the firewall, including unmanaged locations such as email, collaboration systems, home and shared directories, and endpoints.

Finally, policy management software can assist in monitoring activities going forward, helping to put enforce the new policies, as well as keep data classified, minimized, protected, stored in the appropriate locations, and known to the organization. This “governed” environment provides the necessary “connective tissue” to the cybersecurity program.