|
Moving From Tactical to Strategic
An Enterprise Information Protection program enables organizations to move from initial tactical approaches to protecting information through varying levels of collaborative programs and ultimately to a cross enterprise program that drive proactive and actionable data governance.
Tactical: Most organizations start their data protection and compliance efforts at a tactical level. These programs are often driven from a failed compliance audit or by a more serious data loss incident. While compliance is key initial building block in creating an enterprise information protection program, due to the nature of the regulations with the goal of meeting a minimally prescribed requirement of the regulation (risk versus penalty) and typically event driven in nature (what to do when it occurs) it is in reality unrewarded risk mitigation. Regardless of the initial cause, this level of information protection effort is minimal and targets a limited number of or even single data loss risk. The project does not usually take into account the operational needs of the business or work to support business critical operations; instead it often never leaves the realm of IT Security. This leads to one of two results: the project accomplishes some minimum goals, but never reaches its envisioned potential, or the company quickly realizes the limitations and risks of the tactical approach and expands the project to define and mitigate a greater number of risks.
Collaborative: The collaborative level of information protection comes in many different forms but this level has some critical and consistent themes. First, companies at this level in the information protection process begin to take a holistic view of their data security risks. They have come to understand that risks to sensitive data are not simply defined by a channel through which data can move, like a network or USB device, but data risk is instead defined by the sensitivity of the data, the riskiness of the business process that drives the data and the users who are accessing and working with the data. At this level, companies also begin to unify information protection with the operational needs of the business. Visibility gained into data movement and risks open opportunities to take a greater “business risk based approach” to information protection where more collaborative sharing of sensitive information is enabled across the enterprise. This begins to move the customer into the “rewarded risk” category.
Enterprise Information Protection: More mature organizations that have instantiated a full enterprise information protection program will be able to leverage actionable data governance for competitive advantage. Strategic objectives are balanced against known and mitigated data loss risks driving proactive, holistic decisions and business value thereby achieving the highest level of rewarded risk.
As companies mature their data security process and implement risk mitigating controls across the extended enterprise, line of business and operations managers are able to share previously “locked down” data in more collaborative environments enabling increased business agility through not only improved new product research, design and manufacturing but also improved cost management as they confidently and in provable compliance share privacy data with lost cost off-shore outsourcers.
Part: 1 2 3
Previous: From Tactical to Strategic Next: EIP Use Cases
|
