3 reasons you need information governance

A few years ago, Gartner predicted that by 2016, 20 percent of CIOs in regulated industries would lose their jobs for failing to properly implement information governance.

Information governance is a set of guiding principles for business leaders (e.g., CIO, CEO, COO, CFO) on the effective, efficient, and acceptable use of information technology within their organizations, according to ISO/IEC 38500: 2008.

For some business leaders, information governance is one of those nice-to-haves that falls to the bottom of the priority list because there are always more pressing needs, or there is no line item in the budget for it, or not enough resources to allocate to it.

For some, they believe their information governance framework is good enough. Well, 2016 is right around the corner, and if the Target, Anthem, and Sony data breaches offer any indication of the road ahead for CIOs, then the case for sound information governance is stronger than ever.

If that’s not enough, here are three more reasons to consider implementing information governance.

1. Regulatory Compliance is Not Getting Any Easier

Whether you are in private industry or government, regulatory requirements that govern the use, acquisition and security of information technology are increasingly impacting the way we do business. There is an alphabet soup of existing regulations, directives and guidelines like NIST HIPAA, SOX, and SP 800-53 Rev 4 and that list continues to grow. In 2013, the Department of Defense issued Defense Federal Acquisition Regulation clause 252.204.7012, requiring companies of all sizes to safeguard unclassified controlled technical information that resides on their information systems.

As of January 2015, more than 47 state governments have passed laws that require businesses, information brokers and government entities to implement security measures and in some instances, publicly disclose any security breaches that result in the compromise of personally identifiable information. On January 15, 2015, the comment period for NIST SP 800-171 closed, paving the way for another requirement for federal contractors.

Given that any one of these regulations can contain over 200 individual requirements, the aggregation of security regulations makes compliance all the more challenging. Information governance frameworks like COBIT, provides business leaders with tools and techniques for mapping requirements, evaluating plans and policies, monitoring conformance, and making efficient, effective decisions about the use of information technology.

Combined with automated tools and technology, information governance provides a streamlined approach to regulatory compliance.

2. The Baddies Want Your Data

While Target, Anthem and Sony’s data breaches made national headlines, security breaches of this nature are occurring on smaller scale on a regular basis. Just a month after the Anthem breach, Premera Blue Cross revealed that several of its affiliates, representing 1.8 million people, had been hacked. Government entities are seeing it as well. Last year New York’s Attorney General reported that 22.8 million private records of New Yorkers have been exposed due to data breaches over the last eight years.

Federal contractors, especially defense contractors are at a higher risk of being targeted by adversaries seeking information about U.S. military and security systems. Today’s hackers represent a persistent threat. Some of them are state sponsored, giving them the time and resources they need to launch a focused, long-term attack on information systems. A closer look at the Target data breach reveals lapses in communication that meant key decision makers were not aware that the breach had occurred until they were notified by law enforcement.

A sound information governance framework provides business leaders with the information they need to make informed decisions about protecting critical information systems, and the tools they need to improve efficiency and responsiveness.

3. It is good for business

When it is all said and done, implementing information governance is the ethical thing to do. Business leaders have a legal and ethical responsibility to safeguard employees’, customers’ and stakeholders’ data. Those that fail to do so may lose their jobs. Regulations impose fines or penalties associated with non-compliance and some businesses face class action lawsuits resulting from data breaches.

Federal contractors that fail to comply with information security regulations could lose their contracts or face prosecution.

Today’s business leaders need to understand the scope and impact of regulatory changes on their business; align organizational policies, practices and procedures to comply with changes; empower those with the technical expertise necessary to implement changes; train employees; ensure key facets of the business are aware of their responsibilities, and hold individuals accountable for compliance with the changes.

Information governance provides business leaders with the tools and techniques necessary to increase stakeholder confidence, protect their organizations and optimize social value. Get ready to give it a try.

About the Author

Angela Dingle is the president and CEO of Ex Nihilo Management, a consulting firm that provides IT governance and risk and compliance services.

Reader Comments

Fri, Apr 24, 2015 Angela

Thanks for the comment. While the overarching requirement for compliance with a variety of business requirements and governmental regulations is not new, changes in technology and the threats that it can pose to the business require a new type of management response. Most notably, senior leadership is being held to a higher level of accountability. It is no longer acceptable for a business leader with "average management skills" to take a hands-off approach to compliance. As we have seen with some of the biggest data breaches in the last couple of years, senior executives are losing their jobs for failing to maintain awareness of the risk to its stakeholders and response to exposure. With respect to a new kind of consultant, there has always been a need to maintain some amount of autonomy between the people that are responsible for implementing a control and auditors, so nothing new there. As long as there is effective separation of duties you should be covered.

Fri, Apr 3, 2015

Very interesting. But it is hard to detect what is new in all this. Seems like a new label was slapped on an rather long existing set of sensible business requirements and regulatory dictates from the government. Could it not be that a company of average management skill and success is already dealing with these matters? Why is a new kind of consultant needed. Please explain.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB