Information Governance Can Limit Data Breaches But That Isn’t The Answer


Spocks Brain is Gone, the ultimate in data theftYou may have noticed that there has been a large amount of data and information leaking out into the universe lately. Between people not protecting information, breaking rules around information, or your classic data breach, our personal information is out there, without us, more than ever.

The one thing I hear after every breach is the call for better Information Governance or Records Management. As Don Lueders, whom I respect, put it,

So called ‘data breaches’ are thefts of information and, as such, they are first and foremost a traditional records management problem.  Until organizations understand this and include records management as a critical component of their long term cybersecurity strategy, data breaches – and the disastrous consequences they bring – will continue unabated.

I’ve said this before and I’ll say it again, this is a false sense of security. Disposing of records will not keep you out of the headlines. It will only give you a false sense of security.

There is Always Sensitive Information

Let’s face it, you can delete all the information you want. Even if you magically identify and delete everything that is no longer needed, ignoring any historical or regulatory value, there is always some piece of information waiting to make headlines.

As Don referenced, in 2015 the U.S. Office of Personnel Management (OPM) had 21 million records stolen. This was information compiled from government clearance background investigations. My information was stolen as was key data about everyone I referenced on my clearance form.

This is bad and I was upset. However, better enforcement of the records policies would have made little difference. Two million records would still make headlines and there are likely many reasons they needed more than that many on-hand.

Additionally, that information has value. Any person beginning a new clearance process will be cleared faster if the old information is available for investigators to reference.

Consider the Sony email breach. There were a lot of embarrassing emails shared with the public. Many were only months old. How can disposing of emails at a faster pace protect you when people are writing potentially damaging emails every day?

Risk versus Value

We didn’t have these problems when we had paper records. We also couldn’t analyze our data to find answers. Sometimes a written request for information would take two weeks (after it was delivered by postal service) to get to a person who could answer the question.

Storing offline doesn’t solve the problem. Information needs to be accessible to people. Records are being kept because the information might be needed. The question is, How do you balance risk against value?

The problem with information’s value is that you never know when it will matter. As better analytics come forward, the potential value of your older information grows. Past trends can be analyzed to predict future shifts. Algorithms can be developed to study past fraud cases to flag new potential fraud cases.

You have to have information to achieve those value building results.

Even neglecting the potential future value of information, and the historical value, there are laws and regulations that require some records to stay around for years. That is the reason records management exists. It isn’t to dispose of records. It is to preserve them as long as necessary. After that time has elapsed, then you are permitted to dispose of the records, not required.

Security Matters

The answer is security. It isn’t the airtight security that forces people to find ways to work around the “approved” tools. It is many layered:

  • Train staff to recognize when they are being targeted for information. Social engineering and phishing are just the tip of the iceberg. Training needs to be ongoing as the threats evolve.
  • Two factor authentication integrated with Single Sign On (SSO) helps limit authentication hacking.
  • System patching matters. The sooner an exploit in your system is patched, the sooner the window of opportunity for hackers vanishes.
  • Network monitoring to watch for unusual behavior in the network is critical. Something will get inside. You need to see it happening early so you can shut it down.
  • Encryption of data at rest actually matters. Two decades ago, it was inefficient and the belief was that if they got to the content you were already in trouble. While still true, it forces the hackers to hack the enterprise applications storing the information, which buys time and limits the value of the breach to the hackers.

There is a lot more to it. Security professionals can go on for hours about all the things that they can do to protect you. The items above are less intrusive to the people trying to get things done than many other options.

You have to let people work. People can work around any overly restricting security measure. When they do, your information ceases to be safe.

Just one change won’t make a difference. You have to have a comprehensive approach.

We Own It

There are a lot of things that we, both as individuals and organizations, can do about this. As people who use these “free” services, we can be more cognizant of what information we share and the settings that we select. As a society, we can push to punish those that misuse information or gain it through deceit. As part of an organization we can train our staff and deploy better security tools and processes.

One thing is clear, effective Information Governance includes security. You have to know where everything is and how it is secured. That locked file cabinet in your locked office in the secure building is no longer enough. Having it offsite in a secure storage facility with security cameras is no longer enough. Information has to be accessible to create value. Moving physical items like paper, optical disks, or other storage devices is clinging to 20th century mindsets in a 21st century world.

Keeping information analog or off-line will make your organization slow to respond. In case you haven’t noticed, the world is shifting quickly. Organizations have to adapt. Information professionals have to understand security basics so we can having meaningful and productive conversations with both security experts and the business that we serve.

Face it; hackers can get into any system. If they want to get into your system, they will. Invest where you can and you will at least keep the opportunistic hackers at bay.

Oh, and one last tip. Never boast about your security. Hackers love a good challenge.

Book Review: Designing Connected Content

Designing Connected ContentTwo book reviews in a row? Yep. As I said in my last review, I’m reading non-fiction a lot more now and I have a backlog of industry books to read. One of the authors of this book, Carrie Hane, is a good friend. I watched her work on Designing Connect Content for pretty much all of 2017. I was very excited to finally get my copy.

For years, Carrie and her co-author, Mike Atherton, have been talking about Designing Future Friendly Content. In the web world this means using a structured content model so that the management of the content is not tightly coupled with the presentation layer. As design trends change, your content and underlying website structure doesn’t have to. Taken to its ultimate conclusion, you are looking at a headless Content Management System (CMS) supporting one or more presentation layers (web, mobile, Alexa…).

They finally took the time to write a book on the topic. It was time well spent.

Continue reading

Book Review: Web Content Management

Web Content Management by Deane BarkerA long time ago, Deane Barker swung through DC on business and I was lucky enough to have breakfast with him. Even luckier, he gave me a copy of the book he had recently published through O’Reilly, Web Content Management. After nearly two years, during which I read very few non-fiction books, I picked it up and gave it a read.

I’m glad that I did.

I am not going to profess having learned a ton about Web Content Management (WCM) from reading Deane’s book. After all, I have been doing this whole content management thing for a while. However, it was great to read a collection of wisdom from Deane’s decades of experience focused in this domain. Deane is an excellent write and his practical (and witty) use of footnotes really conveys what is involved when you tackle a WCM project.

Continue reading

InfoGovCon 2017 Continues to Set the Bar High

Governor Raimondo speaks at InfoGov17This post has been a long time in coming because I’ve been trying to process everything that happened this year. Once again, InfoGovCon was a great event and the Information Coalition should be proud at the quality of speakers that they assembled. After all, how many conferences score a governor and get them to talk about something relevant?

Conferences like InfoGovCon are critical for the industry. We are still building a template for consistent success. As Shannon Harmon, whom I had the pleasure to meet this year, put it,

The best practices are still being developed. The body of knowledge is under construction.  This makes information governance an exciting space within which to work.  It can also be immensely frustrating for those who want a well-defined structure in place.  Working in this space requires a certain comfort level with the unknown.

After decades of working in this space, I agree that there are still some unknowns. We have learned a lot about what NOT to do. It is the way we can get things done consistently that we are still putting together.

Continue reading

An All New Monktoberfest, Putting Society First

Trips to Portland are never complete w/o some Speckled Ax coffee to jumpstart the day & the brainIf you’ve spent any time around me in the fall, you know that my favorite conference, by far, is the annual Monktoberfest. Hosted by Redmonk every year in Portland, Maine (aka Real Portland), Monktoberfest operates at the intersection of technology and social. I like to think of it as taking craft technology, craft beer, and mixing it together to find ways to make the world a better place.

This year Stephen O’Grady took it up a notch. The 12 months since the previous Monktoberfest have been, at best, tumultuous. This is not a phenomenon of any single industry or country. It feels like the coming to head of various forces in society that is making people of all walks of life realize that they have had enough.

Seeing, and feeling, this unfold made Stephen create the most important non-technical, tech conference you need to attend.

Continue reading

Focusing on the Local by Joining the NCC-AIIM Executive Committee

Hanging out at AIIM Nats night w/ (left to right) Mark Mandel, AIIM Vice-Chair Mark Patrick, and dedicated AIIM staffer Theresa ResekI’ve talked a little bit here about the need to improve the local communities for information management. It is an area that ARMA does better than other groups in the industry but their focus and members can be intimidating for those who aren’t records managers. AIIM chapters are a decent alternative but there are a lot of challenges.

For the past couple of years, I’ve been chatting offline with some chapter leaders from both associations, brainstorming ideas, and trying to think of ways to improve the local community. Some of these discussions became more focused when Kevin Parker became the president of the local AIIM chapter, NCC-AIIM. During one of these discussions I agreed to join the chapter’s executive committee.

Continue reading

Book Review: Women In Tech

This is the book you need to buyIt’s been a while since I wrote a book review, mostly because I’ve been reading fiction and history, neither of which really fit this blog. However I just finished a book that definitely deserves a review, Women In Tech.

First, the TLDR: Read the book!

Women in Tech was written by Tarah Wheeler Van Vlack in conjunction with women drawn from across the tech world. It is a blend of a career guidebook and inspirational stories written by women from different backgrounds. Each woman has made their unique mark in the industry.

Before I get much further with this review, it must be noted that as a man, I am not the primary target for this book. That is not to say I didn’t gain value from reading it. Far from it.

I learned a lot and enjoyed reading the book. Women in Tech is well written, humorous at times, and I highly recommend it for anyone in the tech industry. One last note, as women were the primary audience, my perspective on the book should be considered in that light.

Continue reading