CEOs around the globe are scratching their heads, wondering how it is possible that the most advanced and skilled cybersecurity teams are regularly bested by hackers. Even IT security companies are vulnerable, as demonstrated by the SolarWinds attack late last year. US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. So were private companies, like Cisco, Intel, Microsoft, and Deloitte. And the recent Colonial Pipeline and JBS ransomware attacks underscore just how pervasive and serious these attacks have become.

...traditional cybersecurity approaches attempt to protect the organization's information assets from the outside in, whereas Information Governance (IG) works from the inside out.

Cybersecurity measures are deployed to secure networks and data, whereas the emerging discipline of Information Governance (IG) goes further, to “secure, control & optimize” information. Here is the crux of the matter: traditional cybersecurity approaches attempt to protect the organization’s information assets from the outside in, whereas Information Governance works from the inside out.

Cybersec focuses on layers of security starting at the firewall, and works its way in. This is akin to building a large fence around a fort, and then additional fences around the Officers’ Quarters and supply warehouse. But the problem is, if someone is already inside your fort, or gains access by slipping through a back door, the (information) ‘Crown Jewels’ are not locked up and are vulnerable.

In implementing an IG program, one of the first steps is to inventory information assets and create a data map. This allows for the identification and prioritization of the most valuable information, so that more sophisticated (and costly) protection measures and tools can be applied to protect those information Crown Jewels. They’d be in a dynamite-proof, iron ‘safe’ of sorts, inside a locked office.

So why doesn’t every major company have a robust IG program? Because it is challenging, hard to show quick ROI payback, and it requires the participation of multiple key business units, including Legal, IT, Records & Info Management, Privacy & Security, and more. So with all these departments involved, and their differing agendas, managers oftentimes just kick the can down the road.

However, with strong executive leadership, IG programs can deliver benefits across the enterprise, including reducing information risk, the likelihood of a breach, and the impact of a breach, while improving operational efficiency, and maximizing the value of information.