I recently read an interesting article where GE brought together their Legal and IT teams to address information governance and security. Nuala O’Connor Kelly, senior counsel and chief privacy leader for GE, worked with GE Chief Information Security Officer (CISO) Grady Summers to launch a GE Information Governance Council. This combines the strengths of IT and Legal to holistically review information management and policy issues.
Historically information security and management has been in the hands of IT. In some organizations, IT takes a proactive approach and works with business units to understand how best to control and protect information without hampering the business. Some IT groups prefer to say no to most things, just in case. With mobile devices and social networking becoming the norm for many businesses, saying no isn’t reasonable anymore. These are legitimate business tools and IT needs to find a way to let people use them without compromising security.
The issue here is rarely a technology one. Just like when telephones first came into the office, businesses needed to understand the value of using the technology and contrast that with the possibility of abuse. I can’t imagine a business today preventing employees from using the telephone. Everyone realizes that we use the telephone for personal and business reasons. Most of us understand how to balance things. We also understand that it’s easy to call someone on the phone and tell them company secrets. We have codes of ethics and conduct in our companies that guide our actions in these matters.
At issue today is that the abuse of information can get companies into legal trouble. Just look at all the data breaches that occur. A general counsel worries about who has access to what information and when. The legal department needs to create policies to make sure that employees have access to the information they need to do their jobs, without compromising the security of the business. It’s not the job of Legal to determine the best way to accomplish that. It’s up to IT to decide on the best technical approach to meet the goals of the policy.
If a policy states that a customer’s credit card number can’t be seen by anyone outside the company, then IT needs to determine how to encrypt the information in such a way that restricts it from prying eyes, but doesn’t prevent business transactions. In this case, Legal sets the policy and IT implements it. As technologies change, IT may employ different techniques to accomplish the same goal. Working together to ensure privacy and security brings about a better solution.
Another advantage of working together and being proactive, is that it reduces the tendency of employees to go around the system. There are so many ways to do things on the Internet today, that preventing people from working invites abuse. I was in a situation a few years ago where I needed to exchange large files with a business partner. The email system restricted attachments to 10MB and IT wouldn’t let me use an FTP site. Their answer, “It’s not safe”. So how can I send this large file to my business partner? Their answer, “Burn it on a CD and send it by FedEx.”
You can guess the rest. I found a free file sharing site and used that to send my files, but I made sure I protected my files with persistent security.
Creating a partnership between Legal and IT may not be natural, but it’s necessary and good business. Privacy, security and accessibility are always at odds, but bringing all interested parties together can forge a better solution. It’s better to do it now than have the first meeting between IT and Legal be when you have a data breach.
Photo credit Fotolia