Recession or not, the protection and management of data remains vital, yet IT can often be perceived as the unpopular enforcer of a risk management strategy, said one IT consultant. Taking a holistic approach by getting other business units involved in the business case is better than making it solely an IT project, said George Gorsline, managing director with Initiatives Inc. based in Toronto. "The extent to which it's not IT's initiative will get you further along," said Gorsline, who was one of three panelists at a ComputerWorld Canada technology insights event Thursday entitled Conquer Your IT Risk Management and Compliance Challenges. Gorsline said IT departments must pick and choose constituencies for which risk management is a "hot button" and have them articulate the business risk that lack of risk management presents to them. That gives IT some "great talking points" for when they present their business case and weigh the relative risk of having a strategy versus not. Dale Mills, chief information officer with Toronto-based Mills & Associates, said that in IT organizations where he previously worked, he chose not to take on the role of privacy officer, instead setting up the risk management initiative within the legal department. Human resources, too, said Mills, is a good business unit to collaborate with by virtue of the fact that they are responsible for creating a code of conduct for the company. Mills suggested incorporating aspects of policies concerning information use into that code of conduct. But rules for appropriate information use, said Mills, must be well-structured -- preferably based on roles and not individuals -- to lessen potential complexity because "it can be a nightmare setting up, but (also) a nightmare to audit," he said. John Harris, product manager for electronic signatures & security alliances with San Jose, Calif.-based Adobe Systems Inc., said that while tools must be designed to fit internal use policies, employees shouldn't feel constrained by the restrictions. "Let them grow but grow within certain walls," said Harris. Those policies and procedures should also heed the habits of the different age groups that workers fall into, noted Mills, because "you don't want to alienate employees." But not only must IT contend with the sheer amount of data that an organization produces, it is invariably faced with the challenge that every bit of that plethora of data -- including valueless "noise" -- is considered intellectual property, said Gorsline. IT must allow remote access to that data, yet in an easy fashion, he said. While companies are increasingly aware, said Harris, of "accidental information loss" through stolen laptops and misplaced USB devices, "companies haven't done a comprehensive analysis of that risk." Earlier in the event, Harris said, during a keynote, that data is not what it used to be considering it comes in an array of formats like paper, PDF, e-mail, instant messages and tweets, and can be stored in a variety of places. "Now, you have archives, databases, information sits on laptops, removable drives, and on smart phones," said Harris. Creating a risk management policy in a synergistic fashion, and communicating that policy, is key to success, he told the audience. That policy then drives an organization's choice of technology -- not the other way round, said Harris.