Value vs. Vulnerability: The Business Dilemma of Information on the Move

By   ISBuzz Team
Writer , Information Security Buzz | Dec 15, 2015 08:00 pm PST

The information created and processed by a business, whether about products, operations, customers or financial performance, can play a vital role in commercial success and even survival. And while every business keeps different types of information, some unique and some typical of its industry sector, it is widely believed that exploiting data sets to inform business decision-making can deliver measurable competitive advantage. You would expect businesses, therefore, to be making the most of emerging technologies and deploying resources suitably to exploit their information to its fullest. The truth is that, in most cases, they are not.

In a recent study undertaken with PwC, we set out to explore how mid-sized (from 250 to 2500 employees) and enterprise-level organisations (more than 2,500 employees) in Europe and North America approach the task of harnessing information value. The research uncovered an interesting discrepancy. Many businesses (64 per cent) believe they are already getting the most from their information. Yet, a closer look at how the businesses are managing their information reveals that the majority (76 per cent) are not extracting full value because they lack the culture, skills and tools they need to do so.

It seems that a majority of business leaders exhibit a false confidence when it comes to the ability of their businesses to manage information for value.

More than two in three businesses (69 per cent) believe they know how information flows through the business and where it is most valuable; and 76 per cent say the same about knowing where it is most vulnerable. Yet when asked how they determine either of these, few were able to give a clear answer and most didn’t answer at all.

Historically, information management focused on mitigating the threats to information, with most attention given to getting the security right and remaining compliant with regulatory requirements governing privacy and records retention. This would help explain why the number of companies that said they could pinpoint vulnerability is slightly higher than those that understand where it delivers greatest value. It also explains why many companies are finding it hard to adjust to the new information dynamic. Exploiting information for value will create a tension between the need to keep information secure while sharing it with those employees best placed to use it for business insight and advantage.

The triumph of caution is seen elsewhere in the study. For example, the results reveal that  73 per cent of those surveyed are confident that valuable information can be accessed easily by all those who need it. However, the research also tells us that just 50 per cent of senior managers in Europe and North America are allowed access to such information. In some instances of course, this is absolutely the right thing to do: no business would want to provide anything but highly restricted access to records that contain personally identifiable information or intellectual property, for example. However, when such restrictions do not apply then access should be granted to the data if it is deemed useful, or measures taken to “de-identify” personal information before sharing.

Companies that allow their IT department access to the most valuable information are more likely to grant such access to a number of other functions, including research and development (27 per cent), finance (35 per cent), records and information management (27 per cent) and marketing (26 per cent). However, these numbers also mean that two-thirds of R&D and finance departments and three-quarters of records management and marketing don’t have free access, despite the importance of high-value company insight to areas such as customer engagement and innovation.

This suggests that IT’s traditional role in protecting information could be leading it to restrict data flow through fear of risk or a data breach, and this represents a significant obstacle to deriving the full value from information. Businesses need to create an information strategy up front with the decisions made on who should have access to what information and for what purpose. IT can then play a role as a strategic partner and enabler rather than act as a gate keeper.

IT is not the only potential barrier; in a study conducted with IDC earlier this year, we found that legal departments represent a similar and possibly even greater obstacle. Legal and compliance departments were found to prioritize security and risk mitigation over ease and speed of access, with a mere third (38 per cent) believing that data archives can enhance revenue. Moreover, just under half felt that they should be responsible for several key aspects of data archiving – with IT and other business functions disagreeing with them on all counts.

In other words, exploiting information for competitive advantage is not as simple as it seems. Entrenched attitudes, inter-departmental silos, a lack of mutual understanding around information needs and the continuing dominance of security concerns can lead to information being caught behind barriers or even locked down. This has far-reaching impact on a company’s ability to make the most of its information.

It is well known that information is at greater risk while in motion than when it is at rest.  But that is no excuse to put it to sleep. The C-suite has a major role to play in breaking down unnecessary barriers, while keeping the information secure. It needs to ensure that important decisions about information access and protection are made by all those affected, and that responsibilities are allocated to reflect the needs of a knowledge-enabled business. Our study shows that currently just four per cent of companies get it right; we need to work together to multiply that by 25.

[su_box title=”Sue Trombley, Managing Director of Thought Leadership at Iron Mountain” style=”noise” box_color=”#336588″]Sue TrombleySue Trombley, Managing Director of Thought Leadership at Iron Mountain, has more than 25 years of information governance consulting experience. Prior to her current role, Trombley led Iron Mountain’s Consulting group responsible for business development, managing a team of subject matter experts, and running large engagements. Trombley holds a Master’s degree in Library and Information Science and recently was certified as an Information Government Professional. She sits on the AIIM Board, the University of Texas at Austin of School of Information Advisory Council, and is President of the Boston ARMA Chapter. She is Iron Mountain’s representative on the newly formed Information Governance Initiative and is frequent speaker at association events.[/su_box]

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x