IT Security: Context is King

One of the big blockers for enterprise collaboration uptake is ediscovery and compliance - and depending on the business entity the familiarity, processes and confidence in dealing with legal issues. This is a broad topic, but you can simplify it down into two broad camps: companies that are set up for regular subpoena around information and those that aren't. This latter group tend to be the more paranoid of the two, having read and heard of terrifyingly short time frames to trawl through all electronically stored information (ESI) - email, documents, databases, instant messages, voice mail - before the legal clock hits zero and the discovery is picked over by eagle eyed lawyers.

Again oversimplifying, there are fundamentally two types of data: structured, meaning tracked through processes (in theory) and relatively easily rolled up into a format that can be searched and analyzed for the above legal activity, and unstructured, which can be less easily retrievable.

For businesses who are geared up for legal activity, such as banks and pharmaceutical companies, there is little mystery to all this: it's all part of the processes and cost of doing business. However, large swathes of business are not equipped for this type of activity, hoping legal action will never happen to them, and often have already overstretched IT departments also responsible for protecting intellectual property and compliance.

The sheer fear of the unknown keeps these folks up at night and any discussion of unstructured communication tends to have a bad effect on their blood pressure. Overburdened and tasked with keeping all communication running, any information leaks and failures to protect information or comply make them easy whipping boys.

CIO stands for 'Career Is Over' in some C suite circles because it's so easy to be left holding the baby when some unforeseen legal consequence of compliance or legal action means finding someone to blame.

Against this backdrop it's easy to understand why IT departments tend to be so conservative - creative enough on the downside to be aware of all the risks but not staffed or budgeted to be geared up to protect their responsibilities.

The solution is for greater collaboration between business units to spread these burdens more fairly across the enterprise, with an emphasis on 'if then' scenarios. The reality is that one size does not fit all for IT solutions in an era where volume of data produced - structured and unstructured -  every day is exploding and increasingly fragmented.

Crafting viable workflow processes and associated information tracking and storage is vitally important, yet many business entities lose out on the potential productivity increases of Enterprise 2.0 technologies through a piecemeal, 'don't look at the sun' approach to legal discovery of electronic information. They're essentially hoping it won't ever happen or they will have moved on when it does.

This nausea inducing 'tip toe through the minefield' approach is unsustainable in the rapidly changing global business world, where those who get collaborative networks flowing and under control will be the winners, regardless of where they are on the planet.

I've been looking at a raft of reports in the IT security area and talking to people in that industry recently: I've just had a valuable briefing from Tom Barnett, VP of Strategy at Xerox Litigation Services who described a one and a half to two billion US dollar information protection and discovery industry around essentially intelligently mining information using technology. Until recently keyword search was the extent of technical help for the labor intensive legal discovery process, but Xerox are now seeing increased uptake of their machine learnable 'categorics' technology: humans semantically 'train' this Xerox technology in a sample subset of information: the categorics concept grouping technology then amplifies this thinking and logic across terrabytes of data to quickly find contextual information.

Gathering up the information to be trawled is a pre requisite, and less centralized information is harder to corral. An ever changing legal kaleidoscope means the contextual parameters change rapidly: this US case around the Stored Communication Act  Flagg vs City of Detroit about a murder in 2003 which resulted in the judge ordering the release of all SkyTel text messages may not appear to have much bearing on social media and enterprise 2.0, but in legal terms it sets a precedent.

More prosaically, Mike Fratto of Information Week is astounded by the lack of encryption of information by businesses in their 2009 Strategic Security Survey ('the threat landscape is more challenging than ever'), which covers the broad sweep of terrible things that can happen to networks.

The 'types of breaches most likely to occur' terror charts in this report are topped by Viruses at 51% of worried respondees, with Worms at 48%, Operating system vulnerabilities attacks 43%, , Phishing 41%,  Theft of computers or storage devices 40% and Web scripting language violations (Java or ActiveX-based) at 32%. This is specifically the valid concern of sql injection and other attacks against Web 2.0 browser based applications.

Companies like websense are focused on helping companies implement best practices for web 2.0 security, in this case with their Web Security Gateway solution, but relatively few companies at this point have budget or bandwidth to focus on this.

In many companies, there are fragmented efforts to solve different problems without much apparent synergy - line of business units adopting enterprise 2.0 point solutions, security folks forging ahead with lock down solutions for examples. Like the Tour de France, these groups break away from the internal business peloton, only to be reeled back in by the pack.

A fundamental point in the Information Week report is that security starts with policy, people and processes. Get this right and the long tail of disasters will shrink significantly, and also help broader solutions to be applied in context and not as a band aid. Applying team thinking around strategy and tactics will ultimately result in overall victory through a cohesive collaborative network approach which embraces all of the above in a balanced in-context, holistic way.

Image from: How To Stop Biting Your Nails