Protecting Information: a cascading approach to information security Reply

There is no easy way to protect corporate information.  Protecting government information is easy because they have their own networks.  Life in commercial society is somewhat more different but if businesses follow these 6 steps they will be better off:

  1. DEFINE. Don’t protect everything.  It costs too much and it’s a waste of time.  Define what is intellectual property (patents, trademarks etc).  This is the stuff that (a) is legally protectable, and (b) it is what the market will pay for (i.e. it isn’t an intangible asset – it has dollar value).  Intangible assets which are collectively seen as valuable are classed as intellectual capital.  Everything else is either supporting information or junk.  
  2. DETERMINE.  Determine what goes where as part of your internal processes and workflows.  Remember, it gets used if it’s part of the workflow.  Proper IP should reside on closed systems with certain roles acting as guardians, e.g. in-house counsel, financial comptroller etc).  Intellectual capital, things such as frameworks, processes, analytical methods should sit on systems with role based access privileges  so that repeated access (e.g. for screenshots) is noted. Printing and downloading should be limited and part of a defined process.  Thin client technology helps but the most important means of guarding this stuff is to make it compartmentalised (i.e. various levels of decomposition etc) so that it’s hard to gather it all together it once yet easy enough to use as a reference tool for team use.
  3. DEVELOP.  Keep developing your intellectual capital.  It’s less worthwhile stealing information which is outdated.  Moreover, make sure that development is cross-functional and multi-disciplinary.  This is akin to holding the encryption key to your intellectual capital.  If only a few central people know how the framework all works together then even if it is taken by former employees they will, at least, be unable to build on it.
  4. IDENTIFY.  Identify the people who are going to access this sort of information.  Now build these roles and enforce them with internal business processes and physical security measures to make this work.
  5. INSPECT.  Tag your information and gain access to employee hard drives.  There is no way around it.  Be subtle about how you approach knowledge workers and develop socially enforceable norms around the use of corporate proprietary information.
  6. INVEST.  For intellectual capital works invest in a great means of display.  If you’re afraid of other firms ripping of your frameworks or processes then get a graphic artist to create excellent visual representations.  Then you can protect that image through contracts with employees and clients.  Any use outside of your parameters can be met with a solicitor’s letter.

Most importantly, invest in your people and invest in the development of new knowledge.  If they want to take it, they will but nothing secures information like happy employees and few will want to steal outdated information which they can’t build on.

The Value of Information Reply

Image

Information is expensive, of that there is no doubt.  The cost of information technology as a percentage of revenue remains high despite falling capital costs and the cost to maintain specialised management skills to sort and interpret the incredible volume of information.  The question is whether information is actually financially valuable.  Companies spend a large amount on managing information but what return do they see?  What is the value-added figure for information?

Information Value-Added = (Total Revenues + Intellectual Property + Intellectual Capital) – (operations value-added – capital value-added – all purchases of materials, energy and services).

This is to say that once all labour, expenses and capital (that is not part of an information system) is accounted for, the cost is subtracted from the total of gross revenues (plus IP).  In other words, it is the part of the profit which is not directly accounted for by operations or increased capital value.  It is profit which is attained purely through better managerial decision making.  This might be achieving better terms and conditions in the supply of a product or it might be in the reduction of insurance costs on a given contract.

INTELLECTUAL CAPITAL

Note that I include the term ‘intellectual capital’.  I define intellectual capital as an information asset which, if valued, would increase the value of the firm.  This is not to say that the information asset itself has value (such as patents and trademarks which may be bought and sold and therefore are IP) but rather information such as mailing lists, customer preferences, methodologies, databases etc.  These are generally valued in a business as goodwill but ideally should be valued separately.

INFORMATION VALUE-ADDED

Information value as an index can be calculated through the ratio of Information value-added divided by information costs (see previous blog). So, in any given business unit the value of its information is the additional money earned from management’s better decision making.  If this results in better operations then this is ‘operations value-added’ and should not be included.  However, increased revenue not directly attributable to operations should be included as ‘information value-added’.

IS YOUR INFORMATION MAKING YOU MONEY?

The standard answer is no.  In most companies and business units gross revenues (plus IP/IC) may increase but unless unit labour costs and technology costs are kept in check then the overall productivity of information is limited.  In many managerial accounting case studies the value of information is counted as being gross revenue less the cost of IT (where the analysis takes place in a non-operational function such as purchasing).   However, with reductions in IT capital costs over the years one would assume that the ROIC from IT is great.  By adding associated increased labour costs, however, the story is different.  Year on year declines are evident.  The story is clear – information is no longer adding much value in business.

INCREASING INFORMATION VALUE

In order to achieve greater value from corporate information a business must do 2 things:

Firstly, reduce per unit managerial labour costs.  Instead of merely reducing head count the per unit cost of management should be reduced.  In this way the company is working cheaper not harder.  Overall headcount should be the focus of operational process performance enhancements and not structural adjustments.

Secondly, increase profitability from managerial, non-operational decision making (because operational decisions are subject to their own dynamics).  With a renewed focus on (non-operational) decisions which increase profit or reduce costs businesses will find that their ratio of earnings:information cost indices increase favourably.

SWEAT THE MANAGEMENT

In order to achieve a greater return on invested capital companies seek to ‘sweat the assets’.  However, labour costs associated with processing and managing information will always rise faster than capital expenditure for IT (as well as associated operational expenditure for service costs of cloud computing).  Sweating IT assets is of limited value since they depreciate so quickly that they have no value virtually as soon as they are purchased.  In fact, increasing the value of information will largely come from increased revenue from higher management performance not from lower IT costs.  So, in order to achieve a greater return on information companies should seek to ‘sweat the management’.