More from our Reshaping Information Security MarketInsight study.  This section tackles the topic of Information Safeguards and how a practical approach is essential. 

Information Safeguards

Another issue top of mind for the participants was how to control the release of sensitive information.  The guidance provided by many was to take a “common sense” approach and that any technology solution deployed must be practical.

Most participants had some sort of content filtering in place but were struggling with false positives, lack of deep inspection (including attachments), and the overall effort required to manage the system which was providing limited-to-no relevant and actionable information.  In fact, some perceived monitoring to be a “Pandora’s Box” with more headaches than benefits and several participants advocated balancing the risk present versus the acceptable risk you are willing to take as a way to tackle this issue without draining IT resources to police it.  All were incident driven and reactive versus proactive in approach with limited knowledge of what was leaving via email or what was being forwarded outside the company.

Taking inventory of where your information assets reside and who has access to them is essential although digital rights management (DRM) was only in the early evaluation stages at several companies.
After much discussion, there was consensus that there is not perfect technology to address this issue, but that you must demonstrate that you have done your due diligence and implemented basic or minimum safeguards.  Technology supports the solution, but people are still the ones that distribute information via email.  Controlling access in order to ensure only authorized personnel can get sensitive information is a mandatory step and identifying what could be confidential or sensitive must occur at some level.  How that is done is more complex – be it through establishing an “asset risk management function” or getting the business owners to identify what to look for – keywords, documents, fingerprints, etc.  Building awareness, enforcement through exception monitoring, and implementing the guidance through system controls will begin to safeguard company information.

Implementing system controls to safeguard company information “doesn’t earn money” and their time is better spent on projects that are good for the top line (i.e., revenue growth).  Although you cannot stop the determined insider and eliminating all the exposure that email creates is not feasible, you must try.  But, as previously pointed out, “squeezing one end of a balloon” and clamping down in one place will only push it to another.

We announced the release of this whitepaper earlier this week and have gotten some good feedback on it.  We have worked with Brian Babineau and team from ESG for some time and I am a huge fan.  Brian is really knowledgeable and very approachable – things it takes to be a great industry analyst.  Here is a short podcast overview and here is a link to the EDD Blog with their take.  You can download it here or send me note and I’ll get you a copy.

Many years ago while at Arthur Andersen I had the opportunity to work on a series of projects looking at the impact, drivers, and opportunity around mobile communications – both satellite based as referenced in this post and terrestrial cellular build out.  During that time, I became acquainted with the International Telecommunications Union (ITU) out of Geneva, Switzerland and their role in understanding, advocating, and setting policy around global telecommunications and their very Flash Gordon-like logo (to the left).

One of the many metrics that I spent a great deal of time analyzing for various markets was teledensity or the number of telephone lines per 100 people.  Fast forward 10+ years and this is now measured as "effective teledensity" which includes both mobile and fixed lines per 100 people.  Teledensity is an indicator of economic development for a country and those that are below 1 have a difficult if not impossible task of getting above it.  One was perceived to be the tipping point to accelerate the connectivity of a population and, by default, economic well-being. Moving from 10 to 30 is defined as the "teledensity transition" where at 30 the majority of households and nearly all businesses have access to telecommunications.

From the ITU:

For the developed economies in the Asia-Pacific region, it took between 8 and 35 years (average 16 years) to make the transition between 1935 and 1995, with a progressive acceleration over time. However, for a sample of developing economies in the same region, it took only between 2 and 6 years (average 3 years) to make the transition between 1995 and 2006.  The main difference between the two charts is that the developed countries made the transition using fixed-line networks, whereas the developing economies have invariably made the transition using mobile networks.

Don’t think that communications (especially mobile) is making an impact on the world, accelerating connectivity among people, and improving economies?  Think again.

Here’s an excerpt from our recent MarketInsight report – Reshaping Information Security.  This section deals with the organizational dynamics related to designing and implementing an information security program around corporate messaging.  You can download the full report here or send me an email for it.

Organizational Dynamics

Curiously, this came up repeatedly as both an obstacle and variable to consider when working to implement or design an information security program covering messaging.  One interesting point of view was that people want to report good news and that this topic, at least in the beginning, is rarely good news. 

Organizationally the Information Security function came out of the IT organization and in many cases reports to the CIO.  It was described as an “immature business function” that can have a “conflict of interest” with the CIO complicating day to day operations.  Further, security alone does not translate to risk management and, in one case, documenting the exposure for a management team was not well received because now something had to be done about it. 

Proactive companies have committees or councils whose purpose is to address the broader content and security issues facing the company and often become a flashpoint for discussions around messaging and proper governance.  These groups can include Legal, Internal Audit, Business Owners, HR, and various shades of IT.

One thing was made clear during our discussions – the more information you get, the more you must act.  So questions around who owns securing intellectual property or who is going to be the “police officer” for the organization must be sorted at this cross-functional level.  After all, it is very difficult to manage something you don’t own and we heard repeatedly that no one wanted to receive “hate mail” from the employees due to a new policy or technology control.  Ultimately, there must be consequences for those that breach the rules and the urgency and enforcement must come from the top forcing, in many cases, divisions/departments to participate.