As information continues its transformation into a commodity, companies need to rethink how they manage and protect...
that asset. Jeffrey Ritter, an attorney expert on law and technology, says the first thing companies need to do is realize that information is property -- and develop the right corporate information governance strategy to protect that property.
It's being recognized that information is emerging as the currency of the 21st century -- something that can actually be traded or bartered for other assets of value.
In this Q&A with SearchCompliance.com Editorial Director Scot Petersen, Ritter discusses how companies should approach and adapt to the heightened importance of corporate information governance.
Scot Petersen: So, what does corporate information governance mean, and who needs to be involved?
Ritter: For about 20 years, we've been seeing the emergence of something that we all take for granted, and that is that digital information is property. We create it. We buy it. We sell it. And unfortunately, it's often stolen. It's being recognized that information is emerging as the currency of the 21st century -- something that can actually be traded or bartered for other assets of value.
As a result, companies are finally beginning to appreciate that, yes, they have chief financial officers and, yes, they have executives responsible for managing physical assets. But it's about time to begin to manage the digital information not as the byproduct of everyday business, but as a central asset that is going to be considered in measuring the overall wealth and value of the company.
Now this is where it gets really dynamic and a bit volatile for all of us. We understand rules when we're building a house. All of those rules are there to assure a safe, sound and hopefully long-lasting structure that we can live in. But when we're building our systems, there are so many rules that are being thrown at companies, and they're coming from so many different directions that the rules are not being executed. And that means the information is not being governed.
So, in many respects, what we're talking about when we are addressing information governance is really how do we build a management structure through which we, No. 1, can identify the rules we have to execute? No. 2, identify the resources that we're going to use to achieve compliance with those rules? And No. 3, have the resources in place to measure performance, enforce performance, and maybe even reward performance so that we are constantly increasing and improving the utility, the functionality and the value of the information? I think that's what it means to govern information. It means to treat it as property and, as such, part of what we do is make rules. We need to execute those rules.
You talk about information as an asset. How does a company value its information?
When we look at the indirect ways that, say, investors value companies, one of the things we're increasingly seeing is a demand for transparency. It's an indirect measure, but if you're making an investment in a company based on the integrity of its business records, -- its financial reports, its performance activity -- you certainly have to have confidence in that. You have to have assurances that it's safe and secure and has integrity, and that the information has availability.
Anyone in information security recognizes what I just recited as the three anchors: confidentiality, integrity and availability. Now there's a connection in terms of the way investments are being made in companies and how they are being valued. Companies that can't provide high-quality controls can't demonstrate those controls or can't answer the question, 'Can we trust this data in making our investments?' -- they're not going to be valued as much in the market.
Who should be involved in creating policy in a company, and is it a top-down type of a policy? Is this something that all employees should review? How is that going to work?
I think that, if we take the assumption that digital information has the same value as money, [then we see] it's just as important to the success of the company. It's vital to the operational continuity of the business. It's pretty clear to me that it is a top-down decision that we need to achieve governance of these digital assets within our company.
More Q&As with Jeffrey Ritter
Some CIOs refer to themselves as "box jockeys," just basically acquiring and implementing the machinery of the infrastructure. And we never have seen the chief information officer take true responsibility for the information itself. I think that's changing, and among the CIO, the CEO, the CFO, even the chief legal officer -- all of them are beginning to understand that the success or failure [of] the operational efficiency of the business is a function of how well they govern their digital information.
So, the architecture of the governance starts at the top. But what needs to be done from that point forward across the organizational grid is recognizing that really everybody does need to be involved in refining and validating the rules that will apply. In many situations, in fact, the statistics are pretty compelling. In over half of the investments made in IT projects, the investments either fail or the projects overrun the budget for one reason: a failure to identify and manage all of the rules. So, consensus, collaboration and transparency all are critical values. This issue of owning the digital information and governing it is really driving the level of collaboration within the organizations, where everyone's touching it. The problem is doing that across the complexity, so everyone can truly see the full picture and work on the same page.