I had the privilege yesterday to attend the EURIM Directors Roundtable on Information Governance. The purpose of the event was to identify “whether there is the will on the part of large organisations and their legal advisors and auditors, to take a lead in rebuilding confidence that their information governance is fit for purpose in a world where data loss can destroy competitive advantage.”
The conclusion I reached from listening to the debate was that there certainly is a will, but some doubt as to the way.
Disappointingly – especially given the credibility of the names around the table – I didn’t hear anything new being proposed. It was mostly an extended definition of the problem with familiar remarks such as “consumers need more assurance” and “people and process are more important than the technology.” We listened to yet another analogy comparing the problem to a car with no brakes: I wish people would not do that! You can’t liken the security of data in that way. It’s like comparing bananas with battleships. We can understand the problem without the analogy. What I don’t understand is why some of the brightest and most experienced individuals in the world of government, IT, and information security can’t come up with a decent proposition.
The European Parliament is apparently looking to muscle in and impose a data breach notification law. The issue I see is that, as one person remarked, everyone is literally “spraying their personal data” all over the Internet. If you can obtain all you need to copy somebody’s identity from their Facebook profile then why should business x be penalised if they have a compromise of that same person’s details when it’s all already in the public domain?
That’s not to say that businesses shouldn’t be doing more. Of course they should. I just don’t think that the imposition of new laws, compliance and penalties is the way. Just look at how useful regulation has been in the financial industry. The problem is a lack of control, so the solution must be to impose control right from the start. Companies should have a licence to store private data. Such licence only obtained once specific controls are in place. However, even that would not be enough. One of the observations was that “company boards have an adversion to IT.” The remark was made as if that’s a part of the problem. It isn’t.
This all has absolutely nothing to do with IT. Sure, data is stored in databases on IT networks but this is a cultural problem. It’s about the people and that’s why this EURIM group is ultimately not going to make much difference because it has the wrong people sitting around the table.
What it needs is leaders from the world of HR, marketing, communications, sales and, well, name any other department in your organisation that isn’t IT. The road being travelled at the moment leads to a dead-end.