Information is power, and the effective sharing of information is a route to success and speed of reaction for most organisations. But, frequently, a fear of getting it wrong prevents organisations from really exploiting their information assets to the best organisational effect.
We have talked often about the "security says no" perception, and when a vital project needs information sharing, it can be slowed and opportunities lost by either onerous or out of proportion security requirements. Conversely, vulnerabilities can be created by insecure or inappropriate sharing methodologies.
But how do you share information effectively across business silos or partner organisations, fully exploiting your opportunities and your business framework?
Value your information
Start by putting information and the value of that information at the heart of your security strategy. Understand information management needs in their totality. Information does not exist in isolation and it is not eternal or omnipresent. Embrace the concept of confidentiality, integrity and availability (CIA), for these are the watchwords when it comes to information management.
More on information management
So much focus is placed on the "C" in CIA that its integrity - the completeness and accuracy of it - and availability to those who really need it can often take a back seat. In an information-sharing scenario it is easy to see how this can prove to be a heavy stumbling block.
Get your organisational arms around information lifecycle management (ILM) – managing information from the cradle to the grave.
A business needs to fully identify all information sharing requirements both internally and with external partners. This can be helped by looking at an organisation’s structure to see if there are existing reporting networks that can be used to help build a supportive, risk-based and enabling infrastructure that allows for safe and collaborative working, rather than one that gets in the way and needlessly prevents this kind of collaboration.
Involve stakeholders in all information assurance (IA) decisions by establishing and encouraging information asset owners to be part of this process. In this way we are extending the reach of IA into the business and really starting to show the benefits of this approach to the organisation.
Embrace the concept of confidentiality, integrity and availability (CIA), for these are the watchwords when it comes to information management
Mike Gillespie, The Security Institute
Establish clear lines of communication and appropriate risk management accountabilities encouraging escalation of risk management decision-making to a board level representative where appropriate.
Align security with business processes and organisational risk appetite, core values and operational needs. The Ernst & Young Global Information Security Survey 2012 tells us that only 38% of organisations align security with their risk appetite. It is little surprise then that 70% say their information security policy only partially meets their organisational needs.
The same piece of research reveals that 45% of organisations never discuss information security at the top level of their structure. This will make culture shift and genuine embedded behaviour very hard to achieve and, in all likelihood, will compromise genuinely effective information sharing.
Policy, process, education, due diligence and governance all have a part to play. Particularly with the growth in flexible working and the inclusion of cloud-based services and platforms and online collaboration and information sharing tools, such as Dropbox, to enhance and enable this.
More on security information sharing
Bring your own device (BYOD) and choose your own device (CYOD) are also part of the growing trend towards a flexible workforce. With BYOD, clear policy, education of policy and enforcement of policy is a must. Conducting a proper risk assessment prior to rolling out any such scheme is vital. Securing mobile devices can be challenging enough, but having a mobile workforce that is using the same device for home and work is a magic carpet for malware or other malevolent incursions into business.
Using services such as Dropbox can be appropriate, depending on the sensitivity of the information. The information security policy should make it clear what kind of information can moved via a service like this, so for instance project-based work might be entirely appropriate to be shared in this way, but sensitive executive board information or HR information might not be and an alternative method should be used.
Sharing information is a basic requirement for a business, but doing it securely means everyone needs to know how they are supposed to do it and why it is so important that we use the prescribed methods. Humans are always the weakest link.
Mike Gillespie is director of cyber research and security at The Security Institute.
This was first published in May 2014