How Information Security & Governance Enable Innovation

Over the last 6 months since leaving a 12+ year career at one company, my thoughts come consistently back to one concept; innovation. Making positive change in terms of process and efficiency has always been a passion of mine. Nothing is perfect, and anyone using the phrase; “We’ve always done it that way!” should be fired immediately for gross misconduct.

In much the same way that to someone with a hammer every problem looks like a nail, my natural inclination as a security ‘expert’ is to assign the lion’s share of importance to my area of expertise. While I most likely go too far in this, I think that I have at least some justification for my assertions, if only in the context of this blog.

Innovation is defined as; The act of introducing something new. This is therefore one of the most critical concepts for the human race since it first achieved sentience (couldn’t use the word ‘intelligence’, I think that’s still pending). Whether you believe that was millions of years ago, 6,000-ish year ago, or it was a present from aliens, the speed with which we evolved from hunter-gatherers into what we are now is astonishing (couldn’t use the word ‘civilised’ either, and for the same reason). In just the last 100 years or so we’ve gone from the first flight to the moon, and from computers the size of a room, to mobile devices with more computing power and capacity per unit than existed on the planet just 60 years ago.

All of this was done with one thing as the foundation; information. Yes, that information must be correctly applied to become knowledge – and hopefully in time, wisdom – but everything that has ever been invented, and WILL ever be invented, has information at it’s core. Invention starts with a need, and it does not matter what that need is, someone will feel the urge to fill it. Only a few people create things of no use (we’ll leave Apple and Modern Art out of this), they do it to make money, make a difference, or better the human condition.

The need, in and of itself, is a sort of information; how to take an idea and make something out of it is information; how to build / market / sell / distribute / improve the idea is information; and yes, how to USE the results of the idea is also information.

So why isn’t information better protected?

Why isn’t information seen at the definitive crown jewels in EVERY organisation, especially now that almost every aspect of business is digital, and online? Why don’t CEOs include those in CHARGE of protecting information in the process of business transformation and innovation?

Can’t answer those questions, I’m not smart enough, but seeing as I’m a security expert the why is irrelevant, it’s my job to ‘just get it done’. But that’s the challenge, unless the people ultimately responsible for innovation within a business understand and care about this concept, no-one else is going to care (yes, I’m blaming the CEO …again).

There is an ages old concept in information security; that of Confidentiality, Integrity, and Availability. Some say it’s obsolete and needs refreshing, others try to change the names or add a 4th so that they can be seen to be radical thinkers, but the concept is every bit as valid as it’s ever been:

Confidentiality: If everyone has the information you have, you’re probably not innovating, you’re doing what everyone else is doing. Maybe you’re doing it slightly better than everyone else, but you aren’t going to stay in the lead for long.

Integrity: Not much point innovating if you’re doing it for the wrong reasons, in the wrong place, at the wrong time, or badly. If your information is not accurate and relevant it’s just data.

Availability: You can have all the information in the world, but if you can’t get to it WHEN you need to get to it, it as much use as a politician.

The whole point of IT Security is to take care of confidentiality and integrity, IT Operations takes care of the availability, but it’s the combination of IT Operations,  IT Security and the BUSINESS side to put information into context for ongoing innovation.  That’s what the Governance committee is supposed to be doing; take a business need, help gather the necessary information to devise a solution, measure the business risk, and either move forward with the solution, or move on to the next.

Big data, data mining, predictive analytics and even the much mis-understood ratings and reviews fields would not be experiencing exponential growth if information was not seen as crucial to maintaining competitive advantage. That’s probably why it’s almost incomprehensible to me that organisations don’t take information security more seriously.

Almost.