We are in the midst of a data explosion—CRM data, customer-tracking data, social data, real-time sensor data, industrial equipment data, web logs of all sorts are streaming into organizations at an astounding rate. It is clear that organizations that are best positioned to make efficient use of their data gain a competitive advantage in the marketplace. But it is also clear that data, like critical intellectual property or sensitive customer data, can be a liability in the wrong hands.
In some shape or form, data protection is top of mind for most CIOs these days. It's no surprise that many CIOs list bring-your-own-device (BYOD)/mobile and cloud computing among the top things that keep them awake at night. Mobile and cloud erase the traditional security perimeter behind which organizations have hoarded their data in the past.
To attack this issue from both sides—to improve the efficient use of data within the organization while also improving data protection—one information security and privacy expert says organizations need to take a cue from the government sector, particularly the U.S. Department of Defense (DoD).
"The cyber risk is an asymmetric threat," says Andrew Serwin, CEO and executive director of The Lares Institute, a think tank focused on technology, privacy and information governance. He is also the founding chair of the Privacy, Security, and Information Management Practice and a partner of Foley & Lardner LLP and advisor to the Naval Post Graduate School's Center for Asymmetric Warfare advisory team. "What that really means is there are organized actors who try to use information against us and create an information imbalance. They find the weak link and attack."
These days that weak link may not even be within your organization. For instance, maybe one of your suppliers doesn't follow the same security protocols you do. An attacker could penetrate that supplier's defenses and from there move up the chain into your network.
Information Superiority Allows You to Optimize Risk
"This is not a technology problem," Serwin says. "It's an information problem. What I have been advocating to deal with that is a doctrine that started at DoD, which is Information Superiority. At DoD, they want to have command and control of the information domain. In the private sector, that means you want to make superior use of information within the company to reduce cyber risk, increase profit, reduce costs and protect against brand damage."
According to the DoD, Information Superiority is "a relative state achieved when a competitive advantage is derived from the ability to exploit an 'Information Advantage'," and as "the ability to develop and use information while denying an adversary the same capability."
For instance, Serwin says, the U.S. Navy has taken a leading role in rethinking how the U.S. military leverages data in its operations. He notes that the Chief of Naval Operations has elevated information to the Navy's "Main Battery," its primary weapons systems. A key element of that elevation was the removal of sub-optimal information stovepipes in favor of "Warfighting Wholeness" together with an increased concern with cybersecurity issues.
"In order to achieve Information Superiority, to paraphrase the DoD, the private sector must engage in technical and behavioral modification in how information is collected and processed in order to add value," Serwin says. "The first step private companies should take is to create a governance structure, or committee, that includes key senior stakeholders from departments such as IT, privacy, human resources, audit, legal, treasure, security and others with the goal of increasing the horizontal sharing of information and making information the "Main Battery of Business."
Information Governance Structure Should Inventory Information Assets
The first goal of the information governance committee should be a complete information inventory to understand what information the organization has and where it resides, Serwin says.
Once complete, the organization should undertake a data classification exercise. The intelligence community divides information into four categories: unclassified, confidential, secret and top secret. Serwin suggests the private sector adopt a similar scheme, developed by The Lares Institute as the Privacy 3.0 framework for protecting consumer data: non-sensitive, slightly sensitive, sensitive and highly sensitive.
The point of such classification is to focus data protection efforts.
Adopt a Data Classification Scheme
"For example, companies could place increased protections on systems that contain highly sensitive forms of data under the Privacy 3.0 model, such as Social Security numbers, passwords, financial account information and other similar forms of information," Serwin says. "This allows companies to focus proportionally less resources on less sensitive forms of information such as online purchase history, search history and certain forms of social media data."
"You're never going to be perfect, but you can eliminate a lot of the problems with information if you focus on the most sensitive information," Serwin adds.
Seek Ways to Share Information Horizontally
Once an organization's entire information inventory has been classified, the information governance committee should focus its attention on creating new ways to horizontally share information within the company while reporting back to senior leadership on its progress.
"Concerns about information typically focus on subjects like privacy—the private sector's attempt to limit its legal exposure in the use of consumer data," Serwin says. "While privacy is an important issue, an exclusive focus on privacy is too narrow if one is attempting to achieve Information Superiority. Achieving Information Superiority in private business has a broader sweep. It is concerned with any information that would aid executives in making decisions that drive revenue or reduce costs, which includes, in many cases, consumer data."
Indeed, the ultimate point of better protecting your data is to free your organization to more freely share data horizontally to identify issues and opportunities that had previously been obscured.
"For example, the customer service group in a mobile device manufacturer might have information on patterns of dropped calls resulting from a software or hardware flaw that was impossible to see until the product was deployed," Serwin says. "Unless that information is effectively shared with the groups responsible for software patching and hardware design, a solution will not be incorporated in future updates to the company's detriment."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org