EURIM on Information Governance

I had the privilege yesterday to attend the EURIM Directors Roundtable on Information Governance. The purpose of the event was to identify “whether there is the will on the part of large organisations and their legal advisors and auditors, to take a lead in rebuilding confidence that their information governance is fit for purpose in a world where data loss can destroy competitive advantage.”

The conclusion I reached from listening to the debate was that there certainly is a will, but some doubt as to the way.

Disappointingly – especially given the credibility of the names around the table – I didn’t hear anything new being proposed. It was mostly an extended definition of the problem with familiar remarks such as “consumers need more assurance” and “people and process are more important than the technology.” We listened to yet another analogy comparing the problem to a car with no brakes: I wish people would not do that! You can’t liken the security of data in that way. It’s like comparing bananas with battleships. We can understand the problem without the analogy. What I don’t understand is why some of the brightest and most experienced individuals in the world of government, IT, and information security can’t come up with a decent proposition.

The European Parliament is apparently looking to muscle in and impose a data breach notification law. The issue I see is that, as one person remarked, everyone is literally “spraying their personal data” all over the Internet. If you can obtain all you need to copy somebody’s identity from their Facebook profile then why should business x be penalised if they have a compromise of that same person’s details when it’s all already in the public domain?

That’s not to say that businesses shouldn’t be doing more. Of course they should. I just don’t think that the imposition of new laws, compliance and penalties is the way. Just look at how useful regulation has been in the financial industry. The problem is a lack of control, so the solution must be to impose control right from the start. Companies should have a licence to store private data. Such licence only obtained once specific controls are in place. However, even that would not be enough. One of the observations was that “company boards have an adversion to IT.” The remark was made as if that’s a part of the problem. It isn’t.

This all has absolutely nothing to do with IT. Sure, data is stored in databases on IT networks but this is a cultural problem. It’s about the people and that’s why this EURIM group is ultimately not going to make much difference because it has the wrong people sitting around the table.

What it needs is leaders from the world of HR, marketing, communications, sales and, well, name any other department in your organisation that isn’t IT. The road being travelled at the moment leads to a dead-end.  

Join the conversation

4 comments

Send me notifications when other members comment.

Please create a username to comment.

Stuart I was an observer at the Eurim meeeting and I share your concerns. My take-away from the Director's Roundtable was that the UK citizenry are being exposed to what I call The Dirty Harry Strategy - "do you feel lucky?" One day our luck will run out. more at http://tinyurl.com/5uwm9p
Cancel
Same faces, same topics, same comments..... my stance on attendance of similar events has been articulated before. Can't help but think that we're going through some kind of moral panic about the loss of control of our personal data. For better or worse we leave information pollution behind us as we go through life. Should we necessarily be worried about this? Maybe we're worrying about losing control of the wrong kind of personal information? Maybe we need a national exercise to re-baseline our expectations about personal information?
Cancel
I'm putting my money where my mouth is and have volunteered my services to the next phase of this programme. Would be good to think that I can have some influence and help things to move in the right direction.
Cancel
I did not expect to hear anything new - the question was whether there is will (on the part of those who has the necessary authority/resources) to DO anything. The seniority of the participants and comments at the reception indicated a definite "maybe". Your support could well be msot helpful in tipping the balance.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close