Updated: Aug 8, 2019
The “I” in IT stands for information. Still, most IT-departments focus only on the technology and software part, and not on the actual information the IT-systems were built to handle in the first place. It is often more or less explicitly stated that information ownership must lay on "the business side". So problems with actual data-quality, or questions on the protection-worthiness of certain information is conveniently transformed to everyones favourite kind of problem - Somebody Else’s Problem.
Likewise, business managers and top executives are seldom interested in going into any details of logical information models, or nerdy classifications of the information handled in their business processes. It is often assumed that more technical people on "the IT-side" takes care of details like that. Again, information security becomes Somebody Else's Problem, and everyone is happy. Until they are not.
If you are the CIO of your company, you are the Chief Officer for your company’s information. Information, not technology should be your main focus. How are you supposed to be accountable for information security breaches if you don’t have a good grip on what information your company actually handles? And which of that information that is worthy of protection?
To know you information you have to model it. Emailing a spreadsheet with a free-text column labeled “Information asset” and a few questions for Somebody Else to answer won’t cut it.
For example - you most likely handle some sort of customers in your systems. Maybe you have both consumers and businesses as customers. And among your consumer customers, maybe some are more sensitive than others, or you need to differentiate military related customers from other businesses. In a case like that it is not useful to classify and protect all customer data equally. Instead you need to differentiate a hierarchy of different types of customer data. Each type of customer would inherit its minimal classifications and demands from the more general customer definition. More special customer types can add higher security goals or extra compliance demands.
Information security is too important to be Somebody Else’s Problem. When for example executive management decides to outsource parts of operations, it is crucial that they know what information is affected. And whether that information is sensitive or worthy of protection or not. If they do not understand this, no layers of technical security like advanced encryption standards can protect your customers' information. If you willingly give away the key, it does not matter how strong the lock is. This can potentially have very severe consequences, as in the recent example of the scandalous data security breach at the Swedish Transport Agency where, so far, the general director has been convicted for crime and two Swedish ministers lost their jobs.
Information is a valuable core asset for most businesses
People from different parts of the organisation need to cooperate to meet today’s challenges of information security
To protect your information, you have to know your information
A simple high level information model is the best way to classify and know which information is worthy of protection
/Daniel Lilliehöök, Chief architect at Innovate Security Sweden AB