Don't get me wrong, proper information security governance is absolutely necessary in any organisation. I've put "infromation security" in quotes here to signify a mindset issue that hinders the progression of KM programs. This has been a recurring issue as I witness it happening throughout my KM career.
I was recently working with a colleague from another department on the requirements of their collaboration workspace when he raised to me concerns about information security. He deals with confidential projects where the customers hand delivers hardcopy project documents to them, in an attempt to dissuade their reproduction. When a softcopy document is co-created by team members for such projects, only the team lead gets to keep the final copy and the rest of the work-in-progress documents that resides with other team members will be deleted. On top of that, the customer will perform security audits to ensure that project documents and data are confined only to the project team who have signed a stringent NDA.
Now, this colleague of mine came to a meeting fully aware that collaboration requires an open, trusting and sharing mindset and he was there just to pinned down the idea with "information security" justifications. It was a scheduled 2 hours meeting and he told me that he had to leave in 1 hour for another meeting - D'oh! Seemed to me he's trying to take an hour to convince me that it doesn't work for their department.
Fortunately, I was able to say a bunch of things that made him looked forward to a 2 hours make-up meeting. Here are my counter-security measures:
- The information custodian, not owner - Unless the customer states and our organisation agrees that all information produced during the project belongs to the customer, the information that is produced during our course of work belongs to our organisation and not any staff member. As project teams, the members serve as the information custodian and not the owner. Information custodians have to act in the interest of the company, and a part of that is knowing how to balance between information sharing and information security, and not just information security.
- Knowledge Manager, do your part - And since the department has sent my colleague as a rep for his department's collaboration workspace initiative, he represents a positive figure for KM among his peers. As knowledge manager for his department, he needs to convey the importance of knowledge sharing, learning and collaborating, and take a systematic approach to deal with information security, not an emotional one.
- Share unless confidential - As we contest on the importance of information security within an organisation, it normally works out that only a small percentage of documents are in the confidential category. The colleague of mine mentioned that 20% of their projects are confidential. Even for confidential projects, there are things that we can share such as the team members working on it, the duration, an abstract write-up of the project and the project status.Thus, we are easily talking about more than 80% of sharable information. If this is the case, we should make it easy for sharing to take place and let as many staff enjoy the benefits of information access, rather than the other way round. The way to make sharing easy is to open up access for all documents unless they are confidential.
- Go with the mass - Unless he was telling me that 50% of such projects are confidential, that would make me think twice about the validity of the collaboration workspace. It's more than 80%, so let's go for it and deal with the 20% at a later time! 80% will reap enough benefits for the department.
- Acknowledge the information security concerns - So much about the importance to share. The aspect of information security does need to be taken care of. We have to sit down with the Corporate IS department to discuss how we can handle those confidential information. If all these talks fail, we still have the 80% to work on. Some points to consider:
- Physical location of the database and application server. There are times when these need to be secured away from the Corporate IS access. This means that the department may have to be self-sufficient for the Infrastructure, server, database and application administration.
- There are time when the Corporate IS can access and help manage the setup, but the question here is whether they have the resource to do it, and if doing so is against their policy.
- Can the information be kept in a central storage? Sometimes the existance of a confidential document in a central storage fails the audit immediately.
- Does the nodes that are accessing the application and database need to be in a private network?
- What is the exposure level of the information? Can it be shared between teams within the same department, across departments under the same business unit or across the organisation?
- Will the inclusion of third part tools or customisation cause a security briege based on the information it is able to extract?
4 Responses to “"Information Security" - a KM program killer”
You are right, 80 percent of information of an organisation is not confidential. As for the rest, it's not important enough for any outsider to be bothered with it. People who think their information is secret are either (1) crooks or (2) insignificant people with oversized ego.
Hi Hsiaoshuang (Francis), thanks for bringing in the perspective that secured information is probably insignificant for sharing.
Crooks and people with oversized ego - maybe they are not worth persuading then!
Hi folk, as an information security consultant I liked the article. It highlights the problem with informations ecurity programmes not being based upon an analysis of strategic and operational risks. Security should be a balance between teh needs of KM and Info sec.
However I do hope that your generalising when talking about ego (though I have seen some security consultants who plainly have this issue). Information security is important. For example: 2 months ago a small accountancy practice went into administration. This resulted in the laying off/redundancy of 26 employees and significant disruption to their clients. The over riding cause of their strife was put down to a series of securty related issues and the subsequent impact upon their cash flow. Now how important do you think information security is in teh mind of the people who have been made unemployed or who have seen their business cease trading?
I'm sorry for those who have been laidoff as a result of non-compliance to information security, perhaps they will find solace in the LEMONADE MOVEMENT. The problem is that people are aware of these mishaps around information security and they become over zealous in securing their information. The challenge is to instil confidence on the right level of information security one should practice.
Post a Comment
Trackbacks
Leave a trackback