There is no clear hierarchy between Information Security and Information Governance. Here are the five main reasons, why Information Governance needs to lead the practice of the modern digital enterprise:
- Security is important, however with Information Security, nobody will ever gain competitive advantage. Security plays an important role in the defensive part of the strategic quadrants (1), it will never be able to generate a bottom line result for the organization. In our understanding, Information Governance covers several disciplines such as information management, information risk management (information security) and IT governance.
- All risk management methods are based on the assumption that organizations protect all (vital) data within their ownership. In reality, 90% of all organizations have no idea what they actually own (we talk about information = data). So number one priority must be to identify information based on conformance and performance criteria. Therefore Information Governance is a key discipline to deliver input to risk management.
- Security professionals are focused on security issues. They neglect the importance of information in the business context. Example: The traditional classification schemes are still based on the CIA approach (Confidentiality, Integrity, Availability) of data. But the true value of information has an additional set of intrinsic and extrinsic factors, the most important being: Value of information, trustworthiness, obligational (legal) value and timeliness. A modern classification scheme must include these criteria.
- Security is still too much focused on prevention and correction. Although detection has become more important, mainly because of the advanced persistence threats, ransomware and other more recent risk scenarios, classic technology driven IT security methods still dominate the industry (Firewalls, disaster recovery, authentication, encryption). The value of information becomes an important factor and will be one of the key disciplines to address important risk. Security must follow a risk based approach and to that successfully, the only way is by identifying important data and protect it accordingly.
- As defined in 1., information security is a typical part of risk management. Thus information security might be part of the strategic layer of management. In most cases, however, it will be part of the operational layer. Information governance is an umbrella discipline, which should be positioned on board (normative) level, if the organization’s core business is the management of information. If we take the example of the “Chief Digitization Officer”, his/her role would include all aspects of Information Governance, including information security as a sub-discipline combined with data privacy.
(1) see http://informationgovernance.ch/en/offers/practitioners-guide-information-governance/ (page 38ff german version)