Definitely NO, although there seems to be a tendency to organize information management as part of information security. Here are the five main reasons, why this strategy is wrong and why Information Governance needs to lead the practice of the modern digital enterprise (or the main reasons why I changed from a security expert to the the more attractive field of information governance):
- Security is important, however with Information Security, nobody will ever gain competitive advantage. Security plays an important role in the defensive part of the strategic quadrants (1), it will never be able to generate a bottom line result for the organization. In our understanding, Information Governance covers several disciplines such as information management, information risk management (information security) and IT governance.
- All risk management methods are based on the assumption that organizations protect all (vital) data within their ownership. In reality, 90% of all organizations have no idea what they actually own (we talk about information = data). So number one priority must be to identify information based on conformance and performance criteria. Therefore Information Governance is a key discipline to deliver input to risk management.
- Security professionals are focused on security issues. They neglect the importance of information in the business context. Example: The classical classic classifications schemes are still based on the CIA approach (Confidentiality, Integrity, Availability) of data. But the true value of information has an additional set of intrinsic and extrinsic factors, the most important being: Value of information, trustworthiness, obligational (legal) value and actuality. A modern classification scheme must include these criteria.
- Security is still too much focused on prevention and correction. Although detection has grown importance, mainly because of the advance persistence threats, ransomware and other more recent risk scenarios, classic technology driven IT security methods still dominate the industry (Firewalls, disaster recovery, authentication, encryption). The value of information becomes an important factor and will be one of the key disciplines to address important risk. Security must follow a risk based approach and to that successfully, the only way is by identifying important data and protect it accordingly.
- As defined in 1., information security is a typical part of risk management. Thus information security might be part of the strategic layer of management. In most cases, however, it will be part of the operational layer. Information governance is a roof iscipline, which should be positioned on board (normative) level, if the organizations core business is the management of information. If we take the example of the “Chief Digitization Officer”, his/her role would include all aspects of Information Governance, including information security as a sub-discipline combined with data privacy.
(1) see http://informationgovernance.ch/en/offers/practitioners-guide-information-governance/ (page 38ff german version)