Bruno Wildhaber

Definitely NO, although there seems to be a tendency to organize information management as part of information security. Here are the five main reasons, why this strategy is wrong and why Information Governance needs to lead the practice of the modern digital enterprise (or the main reasons why I changed from a security expert to the the more attractive field of information governance):

  1. Security is important, however with Information Security, nobody will ever gain competitive advantage. Security plays an important role in the defensive part of the strategic quadrants (1), it will never be able to generate a bottom line result for the organization. In our understanding, Information Governance covers several disciplines such as information management, information risk management (information security) and IT governance.
  2. All risk management methods are based on the assumption that organizations protect all (vital) data within their ownership. In reality, 90% of all organizations have no idea what they actually own (we talk about information = data). So number one priority must be to identify information based on conformance and performance criteria. Therefore Information Governance is a key discipline to deliver input to risk management.
  3. Security professionals are focused on security issues. They neglect the importance of information in the business context. Example: The classical classic classifications schemes are still based on the CIA approach (Confidentiality, Integrity, Availability) of data. But the true value of information has an additional set of intrinsic and extrinsic factors, the most important being: Value of information, trustworthiness, obligational (legal)  value and actuality. A modern classification scheme must include these criteria.
  4. Security is still too much focused on prevention and correction. Although detection has grown importance, mainly because of the advance persistence threats, ransomware and other more recent risk scenarios, classic technology driven IT security methods still dominate the industry (Firewalls, disaster recovery, authentication, encryption). The value of information becomes an important factor and will be one of the key disciplines to address important risk. Security must follow a risk based approach and to that successfully, the only way is by identifying important data and protect it accordingly.
  5. As defined in 1., information security is a typical part of risk management. Thus information security might be part of the strategic layer of management. In most cases, however, it will be part of the operational layer. Information governance is a roof iscipline, which should be positioned on board (normative) level, if the organizations core business is the management of information. If we take the example of the “Chief Digitization Officer”, his/her role would include all aspects of Information Governance, including information security as a sub-discipline combined with data privacy.

(1) see http://informationgovernance.ch/en/offers/practitioners-guide-information-governance/ (page 38ff german version)

Conformance Performance Strateg Positioning E_(C)KRM

20. March 2016

Information Governance – an Information Security discipline?

Definitely NO, although there seems to be a tendency to organize information management as part of information security. Here are the five main reasons, why this […]
9. March 2016

Cloud Governance – welche Themen sind für Unternehmen wichtig?

Information Governance wird für viele Unternehmen auch zur zur Cloud Governance. Doch was bedeutet dies und wie geht man damit um? Am 2.3.16 hat die Firma […]
7. February 2016

Do we need a Chief Information Governance Officer (CIGO)?

The IGI (Information Governance Institute) [1], a US-based private think tank has published several articles and papers promoting the role of the  Chief Information Governance Officer […]
13. October 2015

The end of the Safe-Harbor agreement – what now?

The European Court decided on October 6th 2015, that the safe-harbor agreement – which allowed European organizations to legally transfer personal data to US companies for […]