The need to maintain tight information security is well understood, and plenty of time and money is being spent to toughen firewalls, secure networks, and restrict system access. But what many don’t realize is that data and information governance play a central role here as well – maybe even the central role considering you can’t protect everything, everywhere, with the same degree of rigor.
Oh, you can try, but like as not, your team will be spread thin, your controls will be inconsistently applied, and your protections may be weakest where they matter most. This isn’t a criticism, just reality, and a jumping off point for this core concept:
Strong security starts with deciding what deserves the highest level of protection, and why.
This almost always comes down to determining what critical information you have and where it resides within your various repositories and systems of record – perhaps the most fundamental of all governance tasks. Only then can you fulfill your greatest obligation: to ensure your data’s integrity.
Information is Where Governance and Security Meet
Your storage locations are the authoritative sources of your most important data: customer information, company financials, employee records, key operational data, regulated datasets, etc. They’re much more than “important applications” – they’re the backbone of your business continuity, regulatory compliance, and trust. And if something goes wrong, the impact isn’t just technical; it’s legal, financial, and reputational as well.
In only makes sense, then, to maintain a clear understanding of what this information is, where it’s stored, who owns it, how sensitive it is, etc. … and just as important, what we’re on the hook for if something sensitive gets out, or someone malevolent gets in.
Most people who work with information aren’t aware of this criticality, partly because they’re focused on doing the jobs right in front of them, and partly (mostly?) because no one’s ever explained it to them. Either way, they aren’t aware that the data they touch often carries regulatory, retention/disposition, and audit-related burdens. When governance is weak, these responsibilities are handled inconsistently (or not at all), creating exposure that security tools alone cannot fix.
It Takes Two
So while deploying controls across all your systems is great, targeting your information as well is better, as it bolsters your defenses where the impact of failure is highest. Doing this means doing all the governance things we know so well, from reducing data volume to conducting compliance audits to standardizing organizational policies regarding access, retention, privacy, etc.
In the end, information governance and security are not separate disciplines because they both seek to reduce risk. Perimeter defenses go a long way to achieving this but often are uneven. Good governance illuminates where to focus your effort to ensure your most valuable data receives priority protection.
Information governance to support data security is a big part of what we do – and our Governance Acceleration Program lets us do it faster and better. If this sounds good, reach me today and let’s make it happen!