By Dr. Guy Bunker @guybunker
About 10 months ago I did a 'tour' down the East Coast of the USA speaking to customers, partners and analysts and came back a little disappointed as the term Information Governance (IG) only resonated with very few people. Fast-forward to today, and the first IG conference has just successfully finished with a couple of hundred people, an exhibition hall and a whole heap of great speakers.
The audience at this conference was a little different from the usual security crowd I normally present to; the vast majority being lawyers and records managers. The lawyers were there because of e-discovery (or "e-disco" as they call it... Makes it sound like a lot more fun than it really is!), where "records" have to be discovered and then filtered down to a minimal set before being produced for use in court cases. IG is all around this process, with much more emphasis being on what happens to the records after they go outside the organization than there has been in the past. The lawyers also understand Redaction as a term – but it is done manually and can take months to complete. The records managers' perspective was also interesting. They see their roles changing with the introduction of cloud computing being one of the biggest challenges – as the records are then potentially out of their control.
So IG is now at the intersection of information security and records management (in the biggest sense of the word.) Given that the audience were not information security experts, it was no surprise that some of the things I spoke about created a bit of a stir. For example, I reiterated that records managers need to look at all the places the information can be found if they are to do IG – not just in records management systems and archives. This is a very different way of thinking for them. It’s not just about bank details in a database, it is also about securing the information in the statement print process. I use that example, as another discussion was around this – and while the database was tied down, there were 6 vulnerable points in the process between the data leaving the database and the statement dropping on the customers' front door mats.
Adaptive Redaction went down well, as people could see the benefits very easily. However, one question I was asked made me realise that sometimes the obvious isn’t that obvious.
"So, do you mean you can do this in real time?"
At this point I realised one of the huge differences between the usual security audience and the one in front of me. E-disco and records management basically happens as a batch process. You set up the rules for a specific case and then leave it to run and come back some time later. We take for granted the fact that we carry out Data Loss Prevention (DLP) and Adaptive Redaction on-the-fly. When you look at it from the different perspective (when it’s not in real time) you can see how much intelligence and processing is needed. Make it real time and you begin to realise that this really is a big deal. We can process emails and web-based up/downloads to protect critical information at such a speed that the end user doesn’t notice! (If I wear my pedantic engineering hat, then I would say that we are "near real time" – but the person sitting in front of the keyboard wouldn’t spot this.)
It’s good to approach a subject that you are familiar with from a different angle, and that was one of the best things about InfoGov 2014: a whole different perspective. This then provides a whole bunch of more thoughts around how Adaptive Redaction can be used as a key component in an IG strategy.
Watch this space...