Cybersecurity or Information Governance Failure???

This past weekend the world was overwhelmed by the cyberattack that spread around the globe hitting businesses, hospitals, and government agencies in over 150 countries. The rapid spread of Ransomware based on WannaCry which exploits vulnerabilities in Microsoft’s Windows operating system has been characterized by Europol Director, Rob Wainwright, as “…something we haven’t seen before”.

Why did this happen? Was it a failure of Cybersecurity professionals? Or something more insidious?

Unlike many previous Ransomware, this attack doesn’t spread by phishing emails or infected websites (browser based attacks) but uses the EternalBlue exploit developed by the U.S. National Security Agency to spread across networks and attack vulnerable computers which have not had recent security updates installed. Microsoft issued a “critical” patch on March 14, 2017, to remove the underlying vulnerability for supported systems. Surely, Cybersecurity professionals jumped into action and started patching all the machines on their networks to prevent an infection by WannaCry! Right? I guess not! So, why not????

I point to the lack of effective information governance as a root cause. I recently wrote about the importance of information governance and “Why Cybersecurity Pros Should Care About Governance”. A strong Information Governance Program would ensure that remediation and quick action is taken when a significant vulnerability like WannaCry is identified and a patch issued by Microsoft to protect against it. Most of the machines infected by this Ransomware should not have been affected. They should have been patched and widespread communications sent out to all members of the organization to be on alert for suspicious emails and to take protective actions for their personal machines at home.

Also, a strong Information Governance Program would ensure that end users are trained appropriately, and often, to recognize emails that serve as conduits for Ransomware and viruses and act appropriately to report it their Cybersecurity team while not infecting their machine and the network. I cannot stress the importance of a robust Information Governance Program which addresses the processes, procedures and human behaviors of managing information safely and effectively. My two articles address the cultural aspect of creating a culture of information management excellence: What Does Culture Have to Do with Information Management? and Creating a Culture of Information Management Excellence.

These are scary times and shoring up the “castle walls” or improving the “moat” around the castle is not enough by itself. The first step is to conduct an information risk assessment which will identify gaps and vulnerabilities that should be addressed immediately.  If you need help with an information risk assessment or creating a robust Information Governance Program as well as a culture of Information Management excellence, don’t hesitate to contact me.

Why Cybersecurity Pros Should Care About Governance

Cybersecurity is a strategic priority for most organizations. With recent high-profile breach incidents, including Home Depot, Target, and Sony, many companies are asking themselves, “Will I be next?” The answer is “yes,” based on the number of widespread and increasingly advanced attacks. Some of these data breaches are not only a result of internal malicious acts but also unintentional mistakes by employees.

Ultimately, the chief information security officer (CISO) needs to understand the information footprint across systems, determine the value/risk of loss, and protect against cyberattacks through the deployment of control activities, which are commensurate with the value/risk of these information systems. For the last several years, CISOs have focused almost exclusively on protecting the perimeter (even going as far as to use endpoint protection). If most agree that they will likely experience a data breach, then this attention to the perimeter only addresses a portion of the risk.

We’ve all heard for years that information technology (IT) and cybersecurity require people, process, and technology; however, over the years, “people” and “process” have not received the same attention as “technology.” Cybersecurity in many organizations has been regarded as a technical problem, handled by technical people and buried in IT. With the widespread use of mobile computing and the explosive growth of Internet of things (IoT) devices (growing from 6.4 billion connected devices to over 50 billion by 2020), a focus on people and process must move up in prominence to mount a coordinated defense and, eventually, an offense.

Employees are still to blame for many cyber incidents. Poor security awareness continues to be the greatest inhibitor to defending against cyber threats, followed closely by the massive volumes of data for IT security teams to analyze/protect. Cybersecurity professionals need to understand the information risks their organization faces and how to leverage information governance, along with technology, to get the biggest bang for their buck.

According to Gartner, some companies have spent $81.6 billion on security technology in 2016—and still, experience data breaches. As a result, companies are turning to cyber insurance. Certainly, insurers will be happy for the additional business, but they won’t be handing out claim payouts easily. Insurers will investigate each breach thoroughly, and if negligence or the controls and cyber prevention technologies do not match what was represented in the insurance application, they will not pay on the claim. Many insurers will help their clients by developing programs that drive better security hygiene and by offering incentives for better detection and incident response capabilities. It makes one wonder if these programs or incentives will resemble what health insurance providers are dong. Will this be the cyber insurance equivalent to Fitbit?

So, what can be done? Cybersecurity professionals need to partner with information governance/information management professionals to jointly develop what Gartner calls a “data security governance plan.” This cross-functional team can work together to leverage technology that protects the enterprise yet enables business agility, to ensure information risk is reduced through a combined effort of governance and technology, and to effectively address the people and process part of the cyber security equation.

In a Gartner Special Report titled, “Cybersecurity at the Speed of Digital Business,” they call for the creation of a data risk officer. For this unique role to be filled effectively, organizations should cross-train their cybersecurity and information governance professionals. When cybersecurity technologists better understand governance and information risk and information governance practitioners better understand cybersecurity technologies, the more effective these two will be at protecting the organization.

My Blog Post on Personal Development Featured by John C. Maxwell

The Leading Edge: Develop Yourself Like a Naval Aviator

This post originally appeared on the John Maxwell Team blog.

When I started my career as a Naval Aviator after graduating from college, my training and development continued for many years. First, there was flight training for 18 months culminating in earning my “wings.” Then, onto another six months learning to operate the P-3C Orion aircraft, I would fly operationally in the fleet. By the way, I am flying the aircraft taking this picture of a P3-C with the Sicilian Mount Etna, Italy in the background.

Read More

My Latest Article Published at Document Strategy Magazine

Creating a Culture of Information Management Excellence

Last year, I wrote an article titled, “What Does Culture Have to Do with Information Management?” which made the case for addressing culture as a part of any successful information management implementation project. Today, I wanted to offer some practical advice on how to create or install a culture of information management excellence.

So, how do we actually create this type of culture? Borrowing from John C. Maxwell’s definition, let’s look at the behaviors, symbols, and systems of an organization—the three components that make up culture. 

Read More

My Latest Article Published at Today’s General Counsel

General Counsel Can Spur Legal Hold Success

Combination lock and discsCheck out my latest article which was published in the December/January 2017 digital edition of Today’s General Counsel titled: “General Counsel Can Spur Legal Hold Success”. 

I coauthored the article with Doug Deems, General Counsel, The Claro Group.

One of the biggest challenges posed by legal holds is getting compliance by the employees who are subject to it. Because they are asked to alter their normal handling of information (including emails, documents and papers), the success of a legal hold program may depend on how well an organization implements “change management.”

Our article provides three things that general counsel, specifically, can do to lead their organizations toward legal hold program excellence. Read the article here

 

My Latest Article Published at Document Strategy Magazine

How to Get Your Information Governance Projects Funded

One of the big challenges for information governance professionals is getting buy-in from business stakeholders and sponsors for funding projects. Often, there is a perceived poor return on investment (ROI) that creates a lack of urgency or the impetus to move forward.

Frequently, this is a result of projects being positioned as compliance or workplace efficiency initiatives. I attended two recent presentations that offered some practical strategies to help information governance professionals align and present project initiatives in a way that will help get them funded. Read More…

 

New White Paper Published

Not if, But When You Get Hacked: Measuring and Proactively Managing Information Risk

business man out on a ledgeIf this is true, then what are organizations to do? These increased cyber security threats corporations face today is a big concern for Board members and CEOs. The Chief Information Security Officer (CISO) along with help from the Chief Privacy Officer, General Counsel (GC), and CIO are tasked with keeping the company safe and addressing this risk.

This new white paper sponsored by Active Navigation, discusses steps to assess these information risks with the goal of creating an Information Governance Scorecard and provides recommendations for establishing proactive monitoring of these risks as a vital first step to reduce the organization’s risk profile. Download Now!

Information Management Through the Eyes of an IT Auditor

My Latest Article for DOCUMENT Strategy

I spoke at the ISACA Houston Chapter’s Cyber Security Conference this week on the elements of a successful enterprise information management program for information technology (IT) auditors. There are elements of the organization’s information governance program that auditors should pay attention to when testing the efficacy of the program, the information management solution, and the controls that should be in place.

 

What Will Leadership Look Like in 2030?

One of my good friends, Thornton May, has an interesting article: What Will Leadership Look Like in 2030?

It is an interesting question so I thought I would share what I think leadership should look like in 2030.

I think leadership needs to change over the next 14 years, but not in a way that makes it more remote or technologically enabled. True, some leadership functions, like Board meetings and interactions between management and directors can be virtual, but I think the day-to-day leadership of teams and companies need more hands on personal interactions.

If you agree, as I do, with John C. Maxwell’s definition of leadership as influence, nothing more, nothing less, then interpersonal interaction between leaders and their followers is needed more for effective influence. One of the ways leaders can make a huge impact on their followers and have great influence is to intentionally add value to them. I have found the most effective way to add value to them is in person not virtually.

Right now there is a leadership vacuum in our companies and organizations globally. Thornton posed the question in the article about how long can it take to train and develop a leader. Most MBA programs are not training leadership. They are teaching management theory and other business related disciplines, but few really teach leadership.

I think with an intentional personal and leadership development program put in place this can happen very fast. A year or two is reasonably possible. I have a mentoring program designed to do just that.

Besides thinking, writing and advising others about information management and information governance, leadership is an area I am equally, if not more passionate about.

I help organizations innovate, transform, and maximize the effectiveness of individuals by helping them improve their ability to lead, work together, select and develop their people.  In other words, I help them become more profitable. It all starts with better leadership.

Big Data: Real-World Challenges, Insight, and Business Value

I had the honor of participating in a panel discussion about big data at the DOCUMENT Strategy Forum (DSF ’16). The panel was moderated by Lane Severson from Doculabs, and I was joined by Carl Jaekel from Medical Mutual of Ohio and Declan Moss and Brett Collins from Navistar. We had a lively and very interactive discussion with lots of great audience participation. The only problem was we did not get very far on this very big topic, so I thought it would be useful to share some of my thoughts based on our discussion.

Read my thoughts about the discussion and what we did not get to cover in the session.