As a follow on to my blogpost on High Value Data Information Governance, I thought I would share some additional benefits that company's often realize when they have been able to effectively identify and assess risk for their most valuable information.
While this can be a daunting task for a company, the business benefits of doing so are numerous and span beyond simply "IT Security" into Enterprise Risk Management, Infrastructure Management, Legal and other business areas. Here are a just a few example of the reoccurring benefits that I see with my Fortune 500 clients:
• Improved collaboration and cross-functional decision making across business units.
• Improved business engagement and buy-in to the company’s Information Security Program
• Improved ties of security investments to any current or emerging Enterprise Risk Management efforts.
• Data Protection investments are more effectively prioritized and deployed to protect the company’s most valuable information:
- BCP/DR – prioritization of Business Continuity Plans/Disaster Recovery resources and efforts.
- Infrastructure Hardening - access controls, monitoring, administration, service levels, physical security, etc.
- Security Policy and Awareness efforts – Increased control requirements for processes and systems that support High Value Information Assets and greater investments in Awareness activities for staff that make use of High Value Information.
- Security Technology Investments can be directed and used more wisely
- Focusing or redirecting SIEM, DLP, and other network based security controls to higher value assets and away from lower value.
• Cost savings and/or Cost Avoidance by redirecting effort and energy away from less valuable information – yes, this can and does happen. When a company’s leadership has agreed to what information is most valuable to protect, then it much easier to reduce control costs and accept risks associated with lower value information.
• Vendor Management and 3rd Party Risk Management process improvement and decision making, based upon access to and transfer of high value information.
• Reduced legal exposure via a documented, defensible, and agreed to prioritization of a company’s most valuate information assets and subsequent decisions in control investments. You are in a much better position or at least have a good “1st Line of Defense”, if you have engaged a cross-functional group of business stakeholders that have agreed to what is most important and documented their decisions, than if you DON’T have this. Even if you what you have is not perfect, at least you have demonstrated some initial due diligence…
If you would like some additional perspectives on High Value Information Assets, here is a good article of a security practioner I work with, Tim Layton, and what he refers to as Data Classication: Next Level.
I welcome your comments.
You can follow me on Twitter at https://twitter.com/#!/wmarkbrooks
You can connect with on LinkedIn at http://www.linkedin.com/in/wmarkbrooks