You are a CIO, you are responsible for managing the flow of information in your organisation. How do you handle information exchange processes?

With an ever increasing ability to exchange information the burden grows. This is largely due to increased demands to use consumer based technologies where security is often an afterthought. Why is this happening?

As an information worker processing hundreds of emails a day, sifting through requests, requirements and responses and moving documents around with a deftness usually reserved for ballet dancers, the paper pushers of the past have become the digital data processing machines of today. So where is the risk..? A quick scenario should illustrate:

An email has just arrived from the financial director, he needs an invoice sent off urgently, he has sent you the spreadsheet, and you make the necessary changes. You are about to send it off and realise that company policy dictates that all documents sent to clients must be in PDF format. IT has been swamped with firefighting, you have not got the necessary tools to export to PDF, the document is urgent. What to do?

Hop online, Google ‘convert excel to PDF’, I can do it online and not get IT involved, great, convert online, send PDF, job done, phew, that was easy.

You have just opened the shortest path to getting the job done, unfortunately you have inadvertently exposed the content to a third party in doing so. The shortest path is not always the safest. Cloud services, particularly consumer focused services are almost always a shorter path than through the IT department, with their call logging, and service level agreements.

Back in the CIOs shoes, did you know this even happened? Is the user to blame, has he actually violated the policy, did he know that he was leaking information?

To remain competitive the ability to collaborate, process and exchange data is paramount. As a CIO it is often impossible to resist board pressures to adopt “unsafe” technologies to keep up with the competition.

There appear to be only two options: Offer a similar quality of tools in the workplace, complete with the ability to work in the same fashion at home, or protect the critical information and sacrifice the operating field.

Option one is untenable. Keeping up with the Internet in offering services to your users is a losing battle. And limiting their access to these online resources is a delicate balance between losing efficient and improving security.

Option two can largely be achieved through Data Loss Prevention (DLP) systems which are now beginning to gain a foothold amongst CIOs burdened with compliance requirements that would otherwise require a restructuring of their information models. At worst DLP solutions serve to highlight the points where information is being exchanged and assisting CIOs in identifying weak points. Given them tools to develop metrics and apply changes where they are most needed.

Remember a user will open the shortest path first. Make the shortest path a secure one. I leave you with this mantra, in the hope that all information processes are held up to this question: Is this the shortest path?

Related Articles