Companies must strike a balance between being able to share information and protect it, in order to support business growth. BAE Systems’ Malcolm Carrie explains where the answer lies…
Business depends on sharing information: internally between teams and externally with customers and suppliers. Yet they face a paradox. In order to be successful, firms need to share information and yet keep it secret. Good information security is the solution.
In today’s corporate world, suppliers include business process outsourcers and professional services such as audit, investment banking, legal, travel, and even research and development. Information is often shared across national borders because the company itself is global or because the supply chain, including the one for information services, is global. That global supply chain is becoming increasingly common due to the growth of software as a service and pervasive, easy to use and cheap “cloud” services.
Much like Sherlock Holmes’ “curious incident of the dog in the night time”, the business that doesn’t share information is odd to say the least. That said, it’s self-evident that certain information should be protected. It may be valuable to criminals or to your competitors. Just think about credit card and identity details, bid pricing, acquisition targets, or even the crown jewels – that recipe for Coca Cola. What’s more, all nations have laws and regulations that limit the sharing of information, whether focused on privacy, export control, insider trading or other elements.
The Solution
Good information security covers people, process and technology. It creates the understanding, at all levels in the organization, that finding the appropriate balance of availability, integrity and confidentiality requires a full appreciation of the risks.
An essential starting point is that all information is not equal. The extremes are corporate crown jewels (the Coca Cola recipe) and corporate detritus (last week’s canteen menu). Reality is not so black and white. Not only are there shades of grey but information sensitivity changes with time. The company results are highly sensitive until the morning they are published.
The trick is to have sufficient categories of information sensitivity to be meaningful but not so many as to be impractical. The limit here is people: more than four categories are likely to be overwhelming.
The next step includes defining handling rules for each category, specifying with whom the information can be shared and the level of confidence in its protection. You should try to avoid including technology in the handling rules. It is likely that there are many technology options to deliver a handling rule and technology changes rapidly so there will be more options tomorrow. Also, statements such as “X can’t go in the cloud” are not only meaningless but obscure multiple implicit requirements and assumptions. Good information security practice makes these explicit.
The Problem with Technology
The aim is to simplify because people ultimately need to do their work and do it securely.
Generally, there are “controlling technologies” such as information labelling, hosting in a particular nation, or access control, and “monitoring technologies,” such as log analysis or anomalous behavior detection. The former are determined by the handling rules and may require interaction such as declaring information to be of a specific sensitivity or selecting encryption. Monitoring technologies operate behind the scenes and provide assurance because there is no such thing as zero risk.
An essential starting point is that all information is not equal. The extremes are corporate crown jewels (the Coca Cola recipe) and corporate detritus (last week’s canteen menu)Malcolm Carrie, BAE Systems
No matter how clever, these technologies are only tools to achieve the end: simple and secure sharing of information to enable businesses to be more efficient and effective. However, business relies on people and the effectiveness of any process and technology will be limited if people aren’t equipped to make good information risk decisions.
This means training and awareness to change a security “no” to a security “know.” This includes starting with the premise that some information is more valuable and individual actions such as emailing, using public cloud services such as Dropbox or Google Drive, placing company information on a memory stick or a personal device all need to be carefully thought through.
Public Cloud Services
The scale of public cloud services is significant. Major providers can offer capacity far more economically than internally delivered equivalents. Additionally, this capacity is available almost instantaneously, there is no capital investment and costs are 100% variable. These benefits alone could justify understanding information categories and handling requirements.
People are more social and mobile than ever before, which is why these technologies are more common in modern businesses than they’ve ever been. The technology responses in these areas tend to lean heavily on public cloud services. So being able to exploit social and mobile technologies requires the same understanding of information categories and handling requirements.
Security as an Enabler
The benefit of getting information security right is, simply, profitable business growth. This comes from two places: maximizing the effectiveness of the supply chain through sharing information and maximizing efficiency through informed use of cheap and agile public services.
Security and sharing are therefore not mutually exclusive. Security enables sharing by ensuring we have thought of and can adequately control “who gets access to what and when.”
Malcolm Carrie is head of global strategy and architecture at BAE Systems. He’s responsible for ensuring that his firm’s use of information management and technology contributes to the successful execution of its strategy. He is also a member of The Corporate IT Forum and sits on its Advisory Group.