Increasingly, information security professionals are being asked to take on additional operational activities such as data privacy, regulatory compliance, and data risk management, which are critical business objectives that a robust information governance (IG) framework helps to address.
What is information governance and why is it so important to the role of corporate information security officers (CISOs)?
What is information governance?
Information governance is a strategic framework for operationalizing and managing information across an organization. According to Gartner, the IG framework “includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.” A successful information governance program covers all phases of the information lifecycle – including creation, protection, storage, access, use and deletion – and the operational activities and requirements associated with each phase.
By governing information throughout its lifecycle IG intersects with information security goals and objectives including:
- Data protection and privacy
- Regulatory compliance
- Data risk management
A robust information governance framework not only can help CISOs in operationalizing their traditional data protection responsibilities, but it can also be of benefit in those areas where the CISO role has been expanded to include other aspects of IG. Let’s look at one example of a key element of IG, data privacy, and how CISOs are increasingly being asked to address privacy within their organizations.
Adding data privacy to CISOs’ responsibilities
Every business typically has a CISO, or other designated information security expert, whose job is to safeguard data and implement tools and solutions to make sure the organization’s information is protected.
However, according to the Cisco 2021 Data Privacy Benchmark Study, data privacy is now the highest priorities for security professionals. Among those surveyed, 34% said data privacy and governance is their top area of responsibility — ahead of assessing and managing risk (31%) and analyzing and responding to threats (29%).
Data privacy and data protection go hand-in-hand.
The CISO is typically the person in charge of making decisions about how to protect and manage certain kinds of information based on its nonfunctional characteristics, such as its sensitivity and value to the organization, i.e., whether the information is public, confidential, or highly confidential.
Since CISOs already have a prominent role in operationalizing how sensitive information is handled, for many organizations they are the logical choice to take on issues such as governing personally identifiable information (PII) and other dimensions of data privacy, either alone or in partnership with a privacy officer.
Safeguarding against data breaches is crucial to protecting PII.
While there are different types of data breaches, the kind that is most worrisome — and costly — to an organization is a breach that involves PII.
CISOs are already central to protecting the information inside an organization and safeguarding it against hackers and other outsider threats. When organizations need to protect PII and have a plan for responding should a breach occur, CISOs logically become the focus for that aspect of data privacy as part of their cybersecurity responsibilities.
Privacy requirements are becoming part of data protection regulations.
As laws such as New York’s SHIELD Act add data disposal and other privacy requirements, CISOs now have to address compliance with those provisions in addition to data breaches and other facets of cybersecurity they commonly handle to comply with data protection regulations.
The importance of the CISO role in managing data risks
Another example of where the CISO’s increased scope of responsibilities intersects with IG concerns data management and risks. CISOs are often the go-to people when others in the organization identify a data risk, whether it is related to PII, regulatory compliance, or the everyday creation and use of business data. For example, someone in legal or records management might alert the CISO to the need for a retention and disposal policy to manage quickly growing amounts of information.
Strictly speaking, controlling how much data an organization has is not a CISO’s job. However, a growing volume of data is not just a threat to data privacy. It also increases the organization’s “attack surface,” which in turn affects information security — putting overall data risk within the scope of CISOs responsibilities.
CISOs already are responsible for managing and maintaining information access and the security of data across the business. They are thus in the best position to operationalize policy throughout the organization.
Organizations may have a privacy officer, legal counsel, compliance analyst, or other leader who is responsible for interpreting privacy regulations and writing policy to govern how information should be handled. Often these departments work independently, so while the policy might be communicated across the organization, its implementation may be haphazard. The CISO’s experience in operationalizing data protection policy is critical to partnering with the privacy policymakers to ensure that privacy policies are also effectively and universally implemented.
The advantages of an IG approach to the CISO’s expanded role
CISOs have a vested interest in managing data volume and data privacy risks via proper information lifecycle governance — gaining greater insight and control over information security by always knowing:
- What information the organization has and how it is used
- Where the information is stored and accessed
- When to dispose of it
In addition to addressing data growth, a robust IG framework can help CISOs address risks posed by issues such as:
- Multiple storage environments
- Cloud-based platform and third-party services
- The “digital transformation” that requires handling information in new formats
- Work from home
Good governance practices improve the ability for CISOs to mitigate and respond to data breaches as well as to eDiscovery and regulatory requests for information. As regulations are expanded to bring in new data disposal requirements and limits on data use, understanding the nuances of information governance can help CISOs update and operationalize policy accordingly.
Overcoming the IG challenges for CISOs
CISOs are increasingly being asked to make decisions about data risks they don’t own and aspects of the business not previously in their area of responsibility. Addressing privacy and data risk requires making decisions and operationalizing policies regarding information access, use, storage, retention, and disposal.
In particular, defensible disposal of data requires an understanding of the legal and regulatory obligations that may apply to the data, particularly for PII and sensitive or confidential information such as financial records, legal documents, and client files.
These challenges require CISOs to engage with people in legal, records management, risk and compliance, IT, and other areas of the business as necessary to:
- Understand how to put governance in place
- Know what information to keep and for how long
- Make sure data policy is operationalized, meaning it is put into practice effectively
By approaching risk management and business objectives from an IG perspective, CISOs can ensure that the right people, process, governance, and technology are in place to help the organization achieve resiliency and success.
To learn more about what information governance is and how it can help CISOs do their job, please contact matthew@bernsteindata.com.