Data management, infosecurity disconnect reveals two tribes

Infosecurity and data management are failing to harmonise in complex corporate organisations, say data experts. Business value is the common ground that can bridge the divide.

An enduring disconnect between information management and infosecurity plagues corporate organizations, say data management experts.

This has been a recurrent theme of SearchDataManagementUK interviews with people familiar with the state of data management and business intelligence in corporate organisations in recent months.

Jill Dyché, vice president of thought leadership at DataFlux said that security classification of information offers a valuable model for data governance. Some DataFlux customers have begun classifying and prioritizing data using methods learned from the discipline of information security, she said.

For more on the information management, security relationship

Read this extract from Information security: a strategic approach, on

Mobile enterprise content management needs to find a security balance, argues Steve Weissman

G20 deploys secure cloud social media platform at its 2010 summits

However, senior business leaders are still to apt to "think of stolen laptops when you say 'infosec,'"  she said. "They need to think about policy, about who can access what. Not all data is the same." The organisation is "not a whole democracy," she added.

Michelle Teufel, head of global planning and governance at Premier Farnell, an international electronics components distributor, told SearchDataManagementUK in an interview that a culture of ensuring compliance is crucial. Yet it needs to be within the context of putting a clear data governance structure in place, with senior data management and information security officers in position, working together.

Sources do confirm the norm of a "two tribes" situation between infosec and data management. And overarching that is the perennial sibling rivalry between information and technology executives and "the business."

Brett Jackson, President and CEO of LogiXML, has experience that straddles the worlds of infosec and business intelligence. He is a former chief operating officer of managed security services firm Cybertrust, now part of Verizon.

"The cultures are very different," he said. "Unfortunately, infosecurity is all about fear, uncertainty and doubt -- attacks and threats. And [as a vendor] you sell to the infosec organisation, whose job is to protect the organisation from attacks."

With BI, he continued, "We deal with the business. Security is an issue, but it's a broader thing."

However, he added, "the interesting intersection between infosecurity and business intelligence will emerge when cloud becomes a big deal. We come across customers who are enamoured of cloud BI, but don't go ahead because they are worried about data security. They are uncomfortable about moving customers' data outside the firewall to a location they do not own.

"The early days of managed security services [in the early 2000s], when people were getting over the fear of outsourced security reminds me of where we are with cloud-based BI now," he concluded.

Steve Shelton, head of data at Detica, a consulting firm subsidiary of BAE systems with a heritage in UK national security, said big data will be a vector for an intensified security focus.

"The security of big data is being put under the spotlight. Big data technologies, such as Hadoop and other open source tools, don't necessarily have the security model built in," he said. "For example, in HTFS [Hadoop's file system] who has access to what not is not as secure as it is with traditional database vendors."

But, in user organisations, he confirmed that "We are starting to see infosec officers with a tighter remit around data security and conversations are taking place at clients, the biggest heavily involved in adding security to data governance."

Meanwhile, Jim Orr, data governance author and director at Information Builders, said that traditional security and data governance programmes are "not harmonized to the extent they need to be. It is all very immature." However, he added, that also means there is plenty of work to do, in a field he prefers to call "information asset management. It's all about managing your assets to drive business performance.

"I hate the term 'data governance.' It implies a bureaucratic, tactical, cumbersome process that no one is interested in," he said.

The disconnect between data governance and infosecurity seems real and debilitating, according to expert sources familiar with the issue. Whatever the truth of that, if the people in charge of data governance in organisations are not also thinking about data security, corporate HQs will continue to be at risk of becoming crime scenes.

Read more on Business intelligence and analytics