Sometimes the best defense is deletion – CSO Online – Security and Risk Reply

Sometimes the best defense is deletion – CSO Online – Security and Risk.

data mining. big dataThe point is prescient.  In these early days of Big Data awareness the battle between information management v. store now/analyse later can obfuscate other issues:  Cost and Necessity.

ONE BIG POT

Is there really the practical technology that an organisation can actually move away from structured databases and just stick all its information into one big ‘pot’, to be mined for gold nuggets at a later date?

Storing information (as opposed to just letting stuff pile up) is a costly business and the decision to store information usually comes from people on higher pay bands.  The decision of where to locate is often a manual decision which not only has a significant management overhead of its own but also involves co-ordination from other high pay bands.

THE COMPLEXITY OF INFORMATION

Picture1

Add to this dilemma the complexities of  ‘legal hold’ on material and the identification of ‘discoverable’ items.  Suddenly information management looks a lot harder and the siren song of Big Data seems a lot more alluring.  The problem is that information that is not valuable to some is valuable to others.  Who is qualified to make that decision?  Should all information be held given that it will likely have some enterprise value?  The battle is between cost and necessity:

  1. Cost:  Deciding what to keep and what to get rid of takes management time and effort that costs money.  The problem is that it is neither cost effective nor good policy to to push hold/delete decision making down to the lowest clerical level. The secret is to have those decisions made by more senior case-workers but only within their limited remit.
  2. Necessity:  The secret is to categorise management information to determine necessity.  Use a workflow to cascade and delegate (not to avoid) work.  As it moves it accumulates metadata.  No metadata means no necessity and therefore it should be disposed of automatically (eschewing arguments of regulatory compliance).

THE ANSWER

The answer is to automate the deletion of information (other than ‘Legal Hold’).  Once a document/question has reached the end of the workflow without accumulating any metadata then the information should be disposed of automatically.  Case-Workers make the decisions to act on the document/question and metadata is attached by more clerical staff (on lower pay bands) as the item moves through the workflow.  If no metadata is attached it can be assumed that the item is not important and is therefore disposed of.  Cost is minimised by letting case-workers make decisions of relevance within their own sphere of expertise without the additional management overhead for de-confliction/meetings etc.   In this way, the enterprise makes a collective decision of importance and stores the information accordingly thus answering the issue of necessity.

Managing data risk: APRA issues draft practice guide – Lexology Reply

Managing data risk: APRA issues draft practice guide – Lexology.

In their article on data security protection Helen Clarke and Melissa Burrill (Corrs Chambers Westgarth) set out an admirable approach to legal protections for data security.  However, their advice breaks the first rule of data security – if you don’t control it, you can’t secure it.  Fundamentally, businesses need to hold their secure information close, or have active measures to secure it, if they are to avoid data security breaches.  In the end, the threat of legal sanction will not stop criminal action by third parties.

The chart below shows the most high-profile data security breaches for 2012.  Clearly, the breaches do not reflect the strength of potential legal action or the drafting of data protection clauses.  No amount of due diligence would have assisted these companies’ clients as the breaches were not due to lax security procedures.

Contracts and legal sanction are only useful to deliver damages and enforce restitution to cover immediate financial losses.  They will not cover loss to brand equity or market share.

The only way to truly secure information is to manage it in-house.  If businesses wish to manage secret or confidential data in a cloud then they should store it encrypted and hold the keys themselves.  Alternatively, they can link databases and hold unencrypted information in the cloud but the actual names of clients can be held locally.

If businesses wish to remain wilfully blind (or take calculated risks) and outsource the storage of secret information then they should think about building in operational sanctions such as the moving, encrypting or the realignment of data against accounts to ensure their is no monetary loss for clients.

  • security breaches. 2012

Information Outsourcing Reply

Although the Gartner article deals with the monetisation of information assets, the sentiments may lead many businesses to outsource their entire information management responsibility.

The volume of data that most businesses can – or think they should be able to – manage is reaching an inflection point.  Businesses which grasp how analytics supports their revenue model will be able grapple with the continuing demands of information management (IM).  Businesses which cannot cope with the perceived threat of information overload may seek to outsource this responsibility.  The former will survive, the latter will fail. The research is clear:

  • IM is critical business:  derogating from one’s IM responsibility leads to an overall loss of revenue as businesses are unable to respond to market trends, develop appropriate differentiators, design suitable new products and services as well as leverage their information and knowledge for wider benefit.  Information is a firm’s core business, whether they like it or not.  Outsourcing the responsibility to understand the intricacies of a company’s business model and dependencies into the extended value net is a recipe for disaster.  Businesses should use all available software and technical expertise to do this but must do so with internal resources.
  • Outsourcing accounts for cost differentiators not key value drivers:  Firms which seek to cut costs by outsourcing their IT function do not recoup their losses.  The lessons of Ford, GM and Levi Strauss still remain.  Businesses which outsource their entire IT function continue to lose economic-value-added (EVA).  Although it is a good idea to outsource platforms and infrastructure it is rarely beneficial to outsource applications and services which are deeply intertwined with the more social aspects of a company’s business processes, i.e. if your process isn’t rigidly vanilla and perfectly understood then don’t outsource it.  Banks have well documented electronic processes which allow customers to manage their money and transactions remotely.  Even so, they manage these processes internally because it’s core business.

Businesses which purport to leverage economies of scale in order to be able to make sense of a firm’s information are not telling the whole story. It is virtually impossible to crunch structured and unstructured data to squeeze out additional value unless the vendor has also programmed the client’s value chain and key differentiator’s into their big-data algorithm.

“IM is not a software problem it is a business problem.  Regardless of the promises by vendors they will never be able to support management in their daily needs to navigate the subtleties and complexities of corporate information.”

It is highly likely that by 2016 the next fad, after Big Data, will be the monetisation of a firm’s information assets.  No doubt that in the low-end of the market there will be some level of commoditisation of information which will support more targeted marketing and the procurement of specialist advertising services.  However, businesses which outsource critical IM functions (largely through cost pressures)  in their business will turn unprofitable (if not already) as they become unable to respond to the market.