With the growing number of data breaches, information governance is no longer a nice thing to have; it's a requirement for good business. Here are three things you need to know.
A few years ago, Gartner predicted that by 2016, 20 percent of CIOs in regulated industries would lose their jobs for failing to properly implement information governance.
Information governance is a set of guiding principles for business leaders (e.g., CIO, CEO, COO, CFO) on the effective, efficient, and acceptable use of information technology within their organizations, according to ISO/IEC 38500: 2008.
For some business leaders, information governance is one of those nice-to-haves that falls to the bottom of the priority list because there are always more pressing needs, or there is no line item in the budget for it, or not enough resources to allocate to it.
For some, they believe their information governance framework is good enough. Well, 2016 is right around the corner, and if the Target, Anthem, and Sony data breaches offer any indication of the road ahead for CIOs, then the case for sound information governance is stronger than ever.
If that’s not enough, here are three more reasons to consider implementing information governance.
1. Regulatory Compliance is Not Getting Any Easier
Whether you are in private industry or government, regulatory requirements that govern the use, acquisition and security of information technology are increasingly impacting the way we do business. There is an alphabet soup of existing regulations, directives and guidelines like NIST HIPAA, SOX, and SP 800-53 Rev 4 and that list continues to grow. In 2013, the Department of Defense issued Defense Federal Acquisition Regulation clause 252.204.7012, requiring companies of all sizes to safeguard unclassified controlled technical information that resides on their information systems.
As of January 2015, more than 47 state governments have passed laws that require businesses, information brokers and government entities to implement security measures and in some instances, publicly disclose any security breaches that result in the compromise of personally identifiable information. On January 15, 2015, the comment period for NIST SP 800-171 closed, paving the way for another requirement for federal contractors.
Given that any one of these regulations can contain over 200 individual requirements, the aggregation of security regulations makes compliance all the more challenging. Information governance frameworks like COBIT, provides business leaders with tools and techniques for mapping requirements, evaluating plans and policies, monitoring conformance, and making efficient, effective decisions about the use of information technology.
Combined with automated tools and technology, information governance provides a streamlined approach to regulatory compliance.
2. The Baddies Want Your Data
While Target, Anthem and Sony’s data breaches made national headlines, security breaches of this nature are occurring on smaller scale on a regular basis. Just a month after the Anthem breach, Premera Blue Cross revealed that several of its affiliates, representing 1.8 million people, had been hacked. Government entities are seeing it as well. Last year New York’s Attorney General reported that 22.8 million private records of New Yorkers have been exposed due to data breaches over the last eight years.
Federal contractors, especially defense contractors are at a higher risk of being targeted by adversaries seeking information about U.S. military and security systems. Today’s hackers represent a persistent threat. Some of them are state sponsored, giving them the time and resources they need to launch a focused, long-term attack on information systems. A closer look at the Target data breach reveals lapses in communication that meant key decision makers were not aware that the breach had occurred until they were notified by law enforcement.
A sound information governance framework provides business leaders with the information they need to make informed decisions about protecting critical information systems, and the tools they need to improve efficiency and responsiveness.
3. It is good for business
When it is all said and done, implementing information governance is the ethical thing to do. Business leaders have a legal and ethical responsibility to safeguard employees’, customers’ and stakeholders’ data. Those that fail to do so may lose their jobs. Regulations impose fines or penalties associated with non-compliance and some businesses face class action lawsuits resulting from data breaches.
Federal contractors that fail to comply with information security regulations could lose their contracts or face prosecution.
Today’s business leaders need to understand the scope and impact of regulatory changes on their business; align organizational policies, practices and procedures to comply with changes; empower those with the technical expertise necessary to implement changes; train employees; ensure key facets of the business are aware of their responsibilities, and hold individuals accountable for compliance with the changes.
Information governance provides business leaders with the tools and techniques necessary to increase stakeholder confidence, protect their organizations and optimize social value. Get ready to give it a try.