Information Security – A New Frontier?
Traditionally, companies have focused their security efforts on protecting internally managed, internally generated information from reaching unintended audiences. This includes unpublished financial performance, sensitive employee and customer data, intellectual property, current tenders in progress, business strategic plans and so forth.
At the same time, public information specialists have ensured that the company’s public face, its brand and reputation, are protected and enhanced. Never the twain shall meet.
IT, working in a vacuum, has increasingly espoused the philosophy of control and containment. The common wisdom is to manage what you can control, work within your sphere of influence – because things that happen outside your control are just that: outside your control.
The rise of social networking is changing this, but company IT departments are slow in recognizing this shift. Here is an illustration.
I was at a luncheon on Information Security hosted by PriceWaterhouseCoopers recently and was taken by a comment by one of the presenters. He said he was encouraged that in previous years we were talking about IT Security, now we were talking about Information Security, and he hoped that in future years we will have moved to talk about Information Risk.
This started me thinking, so I posed a question to the panel: We talk about protecting endogenous, or internally generated information a lot, but what about exogenous, externally generated information? This is the stuff that happens in the public domain – customers, the media, even employees to some extent talk about the company and its products in the public arena. This information pertains to our company, its products and services, but it is generated externally. I made the comment that in the past we could control to some extent this exogenous information, but today, with Twitter, Pinterest, Facebook, Youtube, Blogs etc, the public has a lot of leverage. I asked them for their thoughts on security over exogenous information in this new world.
Their response? They told me that companies need to think long and hard about allowing staff to access Facebook and Twitter at work.
It seems to me that PR and marketing people are a LONG way ahead of IT people when it comes to this type of information security. Blocking access to staff to social media at work is like holding up an insect screen to stop a tsunami.
It is past time that IT managers broaden the scope of their security thinking and engaged with other areas of the business to form a coherent plan designed for the modern era.