Every organization cares about security. At the same time, every organization cares about being able to find, and to easily make use of, the information assets being protected by that security.
What’s not as well known is that information management is at the heart of all information security efforts. There’s a direct correlation between how well (and securely) you manage your data, and how effectively and efficiently your business runs.
So by extension, great security leads to increases in business efficiency. And the prerequisite to attaining that efficiency is getting rid of the ROT: the redundant, obsolete, and trivial data in your repositories. That is, you need to purge (or place in dark storage) any and all information that doesn’t actively provide current business value.
Good data security, powered by effective data management, has a trickle-down effect for virtually every area of your business. For instance, if your legal department (or outside counsel) has eliminated unnecessary data, it’s now managing a smaller data set for its e-discovery efforts.
Then there’s search efficiency. The most powerful enterprise search tool engine out there will struggle to find what you’re looking for, given the poor metadata and haphazard naming conventions typical, and all the ROT data that it values and searches equally. The smaller the volumes of information you’re managing, and the better the metadata, the more efficient the search—a result that provides clear business value to everyone across the organization, making everyone’s business processes more efficient.
The same goes for workflow, another of the benefits from cleaning your data and attaching well-considered metadata. Any systems that rely on both structured and unstructured information will run more smoothly once you’ve cleaned up your data. Less noise means fewer exceptions in your workflows. And workflows that work are the foundational step to all artificial intelligence (AI) efforts you’re putting in place or planning to put in place, going forward.
Finally, it also means greater security. Having cleaned out the ROT, there’s less strategic information for bad actors to steal. If your IT department has a smaller system “footprint,” and older systems are effectively decommissioned, there’s less information that’s unwieldy and not secured—from PII to HIPA and beyond. You’re “sunsetting” orphan systems, identifying overlap, and reducing redundancy. There’s less for hackers or other bad actors to penetrate, and a smaller concentration of systems for you to secure—all things considered, a more effective way to manage the business.
And while for InfoSec the reward of cleaning your data is a smaller risk surface for penetration by unauthorized parties (and we all know it’s not a matter of “if” but “when”), the information management reward is greater proficiency across the enterprise.
At Doculabs, we take a five-step approach to managing information in order to improve information security:
Analyze Your Data. First scan and understand what you have. What’s the current state of the data in your content repositories? Do you have analytics tools in your technology portfolio, and, if so, do they have the capabilities you need to identify your areas of risk? Having run those tools on your data, where are your risks? Are there pools of data or specific business systems that are the worst offenders?
The result of this analysis may end up a binary choice. Do you “lift and shift” the data to a more effective, integrated repository? Or do you assess, identify, purge and dispose, and then migrate the remaining data to a more integrated repository?
Set up “Guardrails.” The second step in this approach is to build a set of policies, or what we like to call guardrails, to effectively take action upon the types of data you discovered in the analysis phase. This creates an effective structure for your organization, going forward. And it helps you decide whether you need to buy a new information security tool, or reorganize your existing enterprise content management (ECM) platforms.
Some, or many, of your existing information management policies may serve well. You may have a records retention schedule. But do you also have a current data map that helps the organization understand where information resides? What’s the nature of your repositories? How many repositories are being used by a particular business unit or functional area, and are the security and access rights appropriate for each of those repositories?
Other questions to ask: Do you have an orphan data policy? Who owns the data? Is there a disposition playbook, not only for when you delete (or move) data, but for the order in which you handle the deletion of data? These are all “guardrails” to put in place to ensure success.
Set up a Committee. Create a “Center of Excellence,” or COE, consisting of the stakeholders who both use the data and are authorized to make decisions about retention, deletion, organization, and migration of data. This is the group that will put the guardrail policies in place and help you to build consensus around your strategy.
The COE embodies a central theme that’s critical for success: Information security should not be regarded as a “division,” with its own specialized work effort. It’s an enterprise-wide effort. All parts of the business contribute: the formal Security function, as well as IT, HR, Legal, Records Management, Sales, and Marketing, as well as everyone from the business units, all the way up to the C-suite.
Note that you could elect to set up either the COE or the guardrails first; organizations with relatively few existing policies may prefer to make this the first undertaking of their newly established COE to undertake. Either step could come first, but both need to be completed.
Go for Quick Wins! The next step is to clean your data, cutting your teeth on something easy and simple. Tackle some low-hanging fruit. Get quick wins. Anticipate issues, problems, and resolutions that may be more complex once you continue to expand the program. What constitutes low-hanging fruit? Some examples include deleting duplicates or content 10 years old (or older) which isn’t on legal hold or critical document type with a longer retention period (e.g. a land agreement). These two types of ROT alone can account for more than half of the data that can be removed and purged immediately.
Go into Production. The final step is to go to “full clean-up” mode. You’ve test-driven the process; now you can tackle the information that you couldn’t get to with a quick win. Say, for instance, you met with some resistance around your initial disposal. You could remove the identified risk or junk to an isolated server, while leaving a stub to allow end users to continue to access the content by reaching out to Records Management or IT. After a year or more, you’ll likely only have a few requests for this data, from among the terabytes of data stored. Instances like this are what you can point to, to demonstrate there is no business value to the information in question, and to help you strengthen your argument when people say they want to keep it, or that they need that data
Here’s where you might start to look backwards and assess where the greatest risks are coming from. Can your data be cleaner when it arrives? Where are the leaks? Can you improve specific business processes or the behavior of personnel or divisions to make to make the back-end processes around information governance, information management, and InfoSec processes easier?
Remember. Information security requires effective information management. And great information security, in turn, improves your business flow and processes.
Next up from me: How to clean your data. In the meantime, check out our InfoSec services, and learn how we can help you make the business case for cleaning up your repositories.