The Chief Information Security Officer (CISO) is the protector and guardian of your organization’s information assets. This responsibility is becoming more and more difficult, given the explosive growth of information, the rapid pace of transformation impacting information technology (IT) and business, and the proliferation of information across contractors and trusted third parties.
Given recent, well-publicized cybersecurity incidents affecting companies and their private and confidential information, CISOs across all industries are now receiving scrutiny from their management teams regarding how best to manage and protect information. This is both a blessing and a curse. A blessing because budgets are now being made available and organizations are quickly embracing change. A curse because cybersecurity is proving to be bad business where CISOs struggle to demonstrate a return on their investment. Although organizations spend more and more money on cybersecurity initiatives, greater volumes of information continue to be compromised or lost.
The Chief Legal Officer (CLO) or General Counsel also plays an important role related to the protection of an organization’s information assets. CLOs and General Counsel must address an ever-increasing and demanding set of regulatory requirements impacting information across its life cycle (i.e., creation to destruction). Many CLOs own records and information management processes and controls, which may cause people to think of old filing cabinets and boxes at off-site facilities. This could not be further from the truth, given the importance and value of records and unstructured information today.
Both the CISO and the CLO have responsibility over various information-related processes and controls, which may include managing and sustaining confidentiality, integrity, availability, and privacy of information. Typically, the CLO has primary responsibility for policies that govern the management, retention, and privacy of an organization’s information. Organizations often neglect these retention and privacy responsibilities as they redirect their focus to more pressing legal matters. Typically, the CISO has primary responsibility for introducing and managing processes and controls related to the confidentiality, integrity, and availability of an organization’s information. At other times, organizations relegate these responsibilities across various roles and, instead, focus on firefighting and escalation.
Organizations must address how best to allocate scarce resources to protect and govern information. This question encapsulates the evolving dilemma of information governance. How should an organization protect and govern its information assets when the rate of data growth is estimated to be nearly 50 percent year over year? These growth rates present tremendous cost pressures. While the cost of information storage has proven to decrease over time, the cost of incident, fraud, and escalation management continues to increase at exponential rates, with no end in sight.