With information going up in value, companies are getting smart about the management of these assets
Written by the Economist Intelligence Unit
Managing information risk essentially means identifying the information a company holds, calculating the risks to that information and deciding on the extent to which it is worth protecting. Important variables in this calculation are each company’s tolerance of risk, the resources they have to spend on security and the need to use information in the day-to-day business.
Up to now, information risk management has had a relatively low profile. Even so, it is not a wholly new discipline. Long before banks recognised the strategic importance of information, many companies employed a records management department —a form of information library, tasked with overseeing the lifecycle of data once it enters an organisation.
The rise of information risk management in its current form has been driven by developments in technology: according to a recent survey of global businesses conducted by The Economist Intelligence Unit, 90% of C-level respondents (CEOs, CFOs, COOs) believe that information risk has always existed but has become a higher priority because of the Internet.
In today’s hyper-connected era, the risks of theft, loss or destruction of information has become even greater, as sophisticated cyber criminals are able to breach company security from afar and employees increasingly interact with company information outside of the traditional workplace. William Long, a partner at law firm Sidney Austin, points to the past four or five years as a period of profound change: “Social media, BYOD [bring your own device], cloud computing and the concept of Big Data – all of these developments have really forced regulators and business to think about these issues in a more concentrated and focused form.”
At the centre of these developments is data proliferation. The sheer amount of digital data being created and stored means that not all information can be protected nor locked away in a safe. One of Mr Marshall’s clients is sitting on masses of unstructured data, such as emails over seven years old, which is currently costing the company US$60m a year just to store. As a result, information risk management is now much more about identifying and prioritising the most vitally important information to the company.
What some ‘mission-critical’ information amounts to may be obvious. Think Coca-Cola’s secret recipe or the algorithms underlying Google’s search engine. The value of most information, however, is not so clearly defined. Prioritisation can be achieved by attributing monetary values to information, which more companies are starting to do. Equally, information risk experts caution companies against being overly precise here, for fear of wasting time and resources on unnecessary detail.