- Andrew Cammell, chief information officer, Chapman Tripp
- Aubrey Christmas, chief information officer, Employers’ and Manufacturers’ Association (Northern)
- Liz Gosling, director of IT services, AUT University
- John Holley, general manager, ICT, Auckland Regional Council
- Robin Johansen, chief information officer, Beca Group
- John Johnson, IM manager, Waitakere City Council
- Divina Paredes, editor, CIO
- Rod Vickers, solutions product marketing manager, Fuji Xerox
Robin Johansen: Some analysts are saying that one of the biggest sources of data leakage is actually the printed word, not the electronic form. As technologists, I think we rush to figure out how to protect the USB ports and so on, whereas in fact it’s often the printed piece of paper that’s the vehicle that gets the information out of the organisation.John Johnson: I agree, the hard copy’s a big issue. I think our data storage area for hard copy records has to be about five kilometres in distance and that’s just the central documents. John Holley: One of the challenges we have had is we actually have a huge cultural and heritage stake in information. We have stuff that’s literally going back decades, 50 to 60 years, so it’s not just electronic records, it’s paper records. Andrew Cammell: In our firm, any advice sent in an email is printed for the matter file, and there is still a lot of information which is only available in paper form. We have deeds, wills and other official documents that we have no electronic control over. How do you manage access to all the information stored on paper? It is very difficult.
Control and access
Robin Johansen: We’re often entrusted with data from our clients that we need to protect. Obviously there’s information you don’t necessarily want disseminated everywhere, schedules like remuneration or an organisational restructure. There have been examples where people want to start their own business, and so they decide they’ll do a bit of harvesting before they do it. And there are some things like client lists, where the people who need to have access get access. But you don’t make it easy for them to take it away, so they can start up in competition with you.
John Holley: I was reading online [that] something like 60 per cent of people who have been let go from organisations, have taken data. So that stuff is going to happen. It’s how you track and trace what’s actually gone out. We’re putting systems in place exactly to do that... I think the challenge for all of us is having data available to the organisation in the appropriate fashion, but also protecting [it], whether it’s at least [through] monitoring and auditing what people have taken.
Aubrey Christmas: Interestingly enough, a survey of 300 ICT professionals [conducted at the European Infosecurity 2008 Conference] said 88 per cent of IT people admitted they took information out themselves. So you’ve got the question of the same people that are supposed to enforce this issue, are actually a key part of the problem as well.
John Johnson: There are policies and procedures, but the hard part is behaviour. It’s an ongoing education and training, because you have new people joining all the time. We have a lot of different people coming to do project work. So it’s an ongoing challenge to actually have that awareness training all the time. It depends how big your organisation is and how many people you have that have certain responsibilities and accountabilities. And it’s really to make sure that they’re fully aware of those consequences of their own actions.
Andrew Cammell: Most people will take the path of least resistance. If they can find a simple way of doing something, they will do it regardless of whether or not they know they should be doing something else for the benefit of the company. For example, we have a document management system which has security built in so we can protect documents, but if people decide to keep the information in their email system or don’t profile a document correctly all of that security is pointless. There’s only so far you can go with controls that are built into the system. It is important to rely on and stress the importance of proper behaviour.
Policies that workLiz Gosling: Quite often people plead ignorance of any policies, particularly the internet and appropriate behaviour-type policies that those organisations have. That policy level is quite important to make sure that the organisation has a strict information policy. But it has to spell out clearly what is and isn’t acceptable behaviour with information, and getting that kind of education in place. Aubrey Christmas: Every year, we get people to re-sign the computer policy. The policy is two-and-a-half pages [long] and it’s a simple overview of what you can do and what you can’t do. A part of that policy is also to make sure every department manager is in charge of security, or data integrity, not just the IT department, not just the senior management or the security officer… it’s everyone’s responsibility. All employees [sign the document] which causes a ruckus, but the intention is that information policing is not just an IT problem, it’s something everyone in the business needs to take ownership of. The IT folk are the guardians, and therefore we have to police it [and] have the processes and tools in place to ensure it works for the health of the business. However the business [units] are the owners. Robin Johansen: We’ve adopted a slight variant within our employment contracts. On a project by project basis, we’ll get individuals to sign the terms of their obligations for the particular project. So that really puts the focus that this really is a confidential project, and this is what the company’s obligations are and this is what their obligations are.
Andrew Cammell: When we have new people, I always go and see them as part of the induction programme, and say, ‘Any email, any letter you send out, before you send it, think what the managing partner or the CEO will say if they were looking over your shoulder. And if they’re happy for it to be copied to the CEO, then go ahead.’
Data in the wild
Robin Johansen: Many of us are in organisations where staff are mobile and they don’t necessarily work in the office any more. And so the whole idea of having this centralised repository for all your data doesn’t hold good, because so many people work with notebooks or even PDAs and they’ve got stuff on those devices out in the wild.
They never bring them back into the centre and will never save them in the centre. How are you supposed to protect it? And even more interestingly, a salesperson or a business development manager with a PDA full of his contacts; if you’re an aggressive competitor you might steal his phone just to get hold of the contact data.
Has your organisation got the ability to wipe [data off] your mobiles? It’s one of the technologies we’re actually actively investigating.
John Holley: But doesn’t it come back to where does the most data loss occur? Yes, we do lose stuff when people take stuff away, but most IT shops, I’m sure, spend a lot of their time recovering the information that people have deleted by mistake or just out of stupidity. And there’s where the whole record management comes back in, which is, we can focus on the really bad stuff at the one end but how do you actually deal with information integrity for an organisation?
Wanted: A fine balance
John Holley: As councils we operate under the Local Government Official Information Act. Most of our records are actually public and are discoverable, so it’s really challenging. It goes back to if you make it so difficult for people to get to them, then there’s a huge cost and burden on the organisation to provide that information.
So there’s a trade-off between making it easy for people to discover the information, and then also maintaining the security of the more confidential information. It goes back to that constant trade-off between ease of use for the organisation and knowledge versus protecting the organisation’s reputation and the sensitive information that you have. And it’s all about what the organisation wants to spend on this.
Andrew Cammell: The other side of that is loss of opportunity. If you’ve got data that is buried away in the system somewhere for security reasons, if it’s not easily found, then there’s a potential lost opportunity in terms of the information being reused to generate revenue. So this is another small balancing act you do, making sure relevant information is available at the appropriate time.
Robin Johansen: There’s an efficiency issue here as well. On the one hand, we’re encouraging our people in times of financial stringency to be really efficient. We don’t want to put bureaucratic things in the way that prevent that, so there’s a balance between controlling assets and making it really easy so people can do the job efficiently. And striking that balance is not necessarily easy.
Not all data is equal
John Holley: I think one of the challenges for us as CIOs is actually making the organisation understand that it’s their data and it’s their value, and therefore to invest in what’s required to deliver that information back in a sustainable, accurate fashion.
Robin Johansen: There are two entirely different ways of assessing value. One is the intellectual property value, which can be significant. The other is the value, which is putting it right when it escapes… We’ve taken the additional step of creating what we call ‘know-how repositories’ within our document management system, so stuff that’s identified as being reusable, is a model of its type, or has got some real quality in terms of its longevity [is in that knowledge base].
Liz Gosling: We’re making the assumption here that all of our data is equally good and it’s equally valuable. When we’re talking about information management, [integrity] is really a key part of it. Who’s accountable for the integrity, what is the single source of the truth, and then actually how we pass that data around the systems? It really is just data that’s meaningless to anyone, unless it’s turned to proper information that can be used within the business.A question of governance
John Holley: One of the big risks is data loss through stuff not being backed up. What we’ve done is look at an enterprise information management strategy, because there’s a danger we focus just on electronic stuff or on paper stuff.
But in the end it’s a business issue, it’s not a technology issue. It’s how the organisation wants to deal with enterprise information and what is the overarching governance about how to do it.
What are the things that we need to retain? What are the things that IT can get rid of and delete? What is the enterprise’s view about information management and how it’s going to deal with [it] from a governance and policy issue?
We want to make information publicly available as easily as possible, but there are some things that we need to do around that to secure confidentiality and stuff.
But it’s got to come from a strategy level at a governance level for us councillors or in a commercial organisation, the Board. And so you make it a business issue rather than a technology issue.
One of the challenges is as soon as it’s a technology issue, it very much becomes the ambulance at the bottom of the cliff, rather than the fence at the top of it.
John Johnson: We’ve actually made it a business responsibility, so on the technology side, we just safeguard the infrastructure and integrity of systems and data and ensure their recovery, if required, is working. The data itself — data quality and all those business processes that support it — is a business responsibility and the different management areas within an organisation have that responsibility and accountability.
Liz Gosling: The approach that we’ve taken is to identify [the] custodians of information. And being a custodian has some responsibilities around it, particularly for data integrity, for ensuring that access to that information is granted as appropriate to people who need it to do their jobs.
But equally, that it’s protected if it’s sensitive information about students or staff. And then by identifying those, we’ve actually managed to get the different business areas to look at their data needs and have some really good conversations about it.
Beyond document management
John Holley: It’s not about document management, it’s about records management. Document management people tend to just dump everything in. A records management system deals with both the electronic and the paper and other versions of stuff.
How do you deal with CDs or DVDs that have records and files and those sorts of things? The off-site storage? And that’s a challenge to explain to people. Enterprise records management is a different kettle of fish.
John Johnson: Ours is a record and document management system, because we recognise the difference. But we’re also trying to do have something that encompasses both in a way, so our policies and procedures cover records and documents. There is a difference and a lot of people don’t understand that difference, but at the end of the day, that’s all part of the organisation’s nformation.
Liz Gosling: One of the issues is that as soon as you start talking about information architecture [and] information management, it’s deeply unsexy. It’s very difficult to get senior members of the business engaged in this stuff.
One strategy I’ve found is [discussing] the impact of not having that information. If we lost all of this, what’s the situation going to be?
The new collaboration environment
John Holley: It’s a change of mindset, but actually it’s a challenge between the Gen-Y staff who are used to working in a much more collaborative mode of sharing, and senior management, who are actually struggling to keep control of stuff.
John Johnson: They [the younger staff] are more [into] sharing stuff and exchanging. There are a lot of benefits in that and probably there’s going to have to be some boundaries in the work environment. If you can get the right mix with those boundaries, it’s probably a better outcome at the end of the day.
Aubrey Christmas: We have one guy from Gen-Y who’ll tell us that what we’re trying to put in place will not work, because they [the younger staff] are doing it differently. So it’s good to have that guy in the conversation or on the committee.
Andrew Cammell: When faced with an issue, one of the first things we do is check the internet to see who else has had it, and what they’ve done to fix it. Now, if all the people putting solutions up on the internet didn’t do that and said ‘I know a solution but I’m going to charge you for the answer,’ how different a world would we be operating in? They’re not all necessarily from the younger generation, just people that have adopted a collaborative style. So again, there’s that act of balancing between what do you share and what you don’t share, and what’s the value of it.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.