By Sampriti Ganguli & Ian Beale
As businesses seek new avenues for growth, creative uses of information are central to their strategies, and increasingly a source of competitive advantage. So much so that companies are now using the lexicon of "information management" as opposed to "technology management." CEB research shows that 76% of employees now report a significant increase in time spent working with information and data, and the locus of control of where this data resides has rapidly expanded beyond the walls of Corporate IT and into the 'cloud.'
Once upon a time, information risk management wasn't too difficult. Write up a standard policy, train employees, secure the perimeter and the rest would take care of itself. But information risk is more complex now. New technologies - such as mobile devices, social media, and cloud computing - magnify the impact and likelihood of risks companies already assess and collectively push companies' risk exposure beyond acceptable (and manageable) levels. In fact, our research shows that 93% of employees admit to violating the policies designed to prevent breaches and non-compliance, increasing the legal and reputation risks for a company. Combined with a complex regulatory environment, increasingly sophisticated attackers, and expanded uses of information these risks can cost well over $7 million US per year for a Fortune 500 company.
Unfortunately, few companies manage information risk well and traditional governance processes - overly cumbersome 'check the box' compliance procedures, overly bureaucratic risk governance committees, siloed risk management across Legal, Compliance and IT and the business - fall short. These approaches may also result in substantial hindrance to productivity and innovation - an intangible cost that may be significantly greater than the size of the risk.
When it comes to information risk, chief auditors in particular are faced with challenges that revolve around three complex dilemmas - and often make the wrong choices:
1.Struggling to balance the need to secure information and systems with the need for employees to actually have access to the data to creatively use the information.
2.Incorrectly believing that to deliver more reliable assurance they must expand their audit scope of IT security risks rather than focus on the most critical risks and controls.
3. Focusing on auditing the effectiveness of "hard" IT security controls only, in order to deliver reliable assurance and ignoring the essential factors of corporate culture and employee behavior.
So what can companies do to improve their information risk management?
•Get Information Risk Governance right - Companies may be tempted, on the one hand, to control information risk initiatives or, on the other, to abdicate and defer ownership entirely to business units. Striking the right balance is hard but necessary. Companies should focus on the correct "information owners." Information risk management is an inherently cross functional area (and will be for a while) - over-investing in getting the right stakeholders to the table will yield success.
•Gather Information Risks from Risk Takers - Leading companies are now drafting social media policy by gathering feedback from its "power users" employees who regularly use social media platforms for both professional and personal productivity. Nearly 80% of employees describe themselves as "open" to new technology and may implement new technologies within their workflows to simultaneously achieve professional and personal productivity. Think of these employees as the 'test base' to roll out mobility and social media pilots across the enterprise.
•Use 'Principles-based' Policies as Opposed to Rules-based Policies - Trying to block social media usage by stringent policy guidelines is likely to lead to failures. Leading companies now provide extensive social media training and suggested content to a group of employee 'social media evangelists' empowering them to engage with the public via social media platforms on behalf of the company. Similar approaches work for other aspects of information risk.
Sampriti Ganguli is an executive director in CEB's Legal, Risk and Compliance practice, based in Arlington, VA. Ian Beale is a senior director, also in CEB's Legal, Risk and Compliance practice, based in London. Find out more about CEB best practices and insight for Legal, Risk and Compliance officers here.