Information Risk Management Tips from Industry Experts

Enterprise data is overwhelming, sprawling and chaotic.

To help data stewards get a handle on how to manage data as it grows exponentially, AccessData tapped Matt Kelly, editor and CEO of Radical Compliance, to host and moderate a three-part webinar series, “Navigating Information Risk, Investigations & Privacy in Today’s Regulatory Environment.”

The first conversation in the series, “Information Risk and Compliance in the Digital Age,” featured panelists Debra Farber, privacy consultant and former senior director, Global Public Policy at Visa, and Bennett Borden, chief data scientist and chair of the information governance group at Drinker Biddle & Reath LLP. Attendees included privacy and security officers, as well as other members of compliance, governance, risk and legal departments.

As a former editor with Compliance Week, Kelly adeptly facilitated the discussion while panelists addressed pressing topics around risk:

• Defining information risk throughout the enterprise.
• Companies’ understanding of information risk.
• How to assign ownership of information risk.
• The technological changes making information risk complicated.

Below are several highlights of the conversation. If you’re interested in viewing the full recording, the link is accessible at the bottom of this article.

Defining Information Risk

Both Borden and Farber agree that the definition of information risk is often associated with a negative or fearful view.

Farber orients the definition of information risk in terms of impact and harm. How do the threats that make risk possible impact an organization?

Borden says there are many facets of risk. What often comes to mind are security breaches, liability, privacy risk and other dangers.

He wants to flip the negative about information risk and instead encourage people to focus on the value of information. There is a great deal of meaning within information, he shares, and the challenge is how to pull value from information because it is an “amazing asset.”

He concludes that the progression toward better understanding of information risk is rooted in how workflow processes are computerized. The granularity with which insights are gleaned from human behavior is recorded and stored in astounding volumes. Senior executives are finally coming of age in the digital era with a more fluid and measurable understanding of how information impacts the enterprise. They are developing skills across verticals to manage information governance.

Do Companies Understand Information Security?

Kelly posed a question to Borden and Farber about companies’ understanding of information security and whether enterprises knew how to “panic effectively.”

In her response, Farber noted that the data privacy industry is 10 to 15 years behind information security. As a privacy consultant, Farber understands that privacy is more about compliance as a business driver. She says it comes down to effective and responsible governance of personal information and its impact on privacy.

Farber believes companies should earn trust by being transparent with products and services and less concerned about how users behave with a company’s products or services. She wants to see a more robust view on product teams to help build trust and security so product development isn’t a matter of compliance.

According to Borden, the clamor around data is about “what data is, how useful it is, what do we do with it now, and what do we do with it when it’s not useful.”

Assigning Ownership of Risk

Looking at the enterprise as a whole, who is ultimately responsible for information risk? It turns out, that question was more challenging to answer.

Borden suggested an approach that includes developing a formal structure with an information governance steering committee that includes representatives from the major company stakeholders. If a company isn’t mature enough to develop a committee, then create a project-based approach and get opinions on information governance on a case-by-case basis. The best takeaway Borden offers is to be proactive in bringing issues to stakeholders so each has time to develop a response.

Farber suggests there is a pre-risk assessment phase to explore the lifecycle of data. The effort to conform to the EU General Data Protection Regulation requires companies to comply with changing practices and new rules in honing government practice. Companies need to be responsible, accountable, informed and communicative within the organization. Farber’s key takeaway is that people focus on the driver of bringing value to the business.

Kelly asked whether privacy, security and compliance are similar. Farber responded from an internal perspective — that handling risk is similar no matter the focus. Privacy is part of the information governance committee or separate from security because of how projects are managed.

Farber notes that for privacy impact assessment to be effective, it should be regarded similarly to change-management processes. The rollout, its impact, how internal processes and controls are adjusted, and whether there is an acquisition, for example, are all factors.

The Adoption of Technology for Success

In conclusion, Kelly asked whether the haphazard adoption of technology has hindered business success.

Farber immediately commented that there is no central process to evaluate third-party vendors. These vendors are “innocently” waiting in the wings to help businesses adopt SaaS, cloud hosting and storage, and other tech automation. With that comes a contract someone has to sign.

What people don’t realize is while the freemium version may work great for a while, it immediately becomes high risk when sensitive company data gets uploaded to the cloud. Without a vendor management process or security guidelines in place, an enterprise assumes information risk.

Borden agrees with the assessment that haphazard adoption is the biggest problem. Most companies don’t move toward technology in a streamlined way; rather, they stumble to the next platform without rhyme or reason. His counsel applies well: determine what the information is; how it is created; what to do with it; how to protect it when useful; and, most of all, how to delete it when it’s not useful.

The three experts are in agreement that no matter the size of the enterprise, information risk can be controlled with thorough awareness, solid policies, education and communication about how to implement and safeguard proprietary information.