Lawyers, auditors, clients and data, oh my!

From time immemorial to today, we suffer under an inescapable fact. Total, absolutely impenetrable security, is unachievable. From the ancient quandary posed as: Quid custodiet ipsos custodes? (Who shall watch the watchers?) to the demonstrated loopholes in 802.11b wireless communication protocols, (Univ. of Maryland report: we cannot make anything perfectly secure.

If you can encrypt data, someone can decrypt it. If they can’t decrypt it themselves because of some temporary technological constraint, then they’ll make someone, somewhere, an offer they can’t refuse. If “they” want access badly enough, they can gain it. Somehow. Count on it.

If this were just a matter of developing the right technology, then we could all breathe easier and state (naively) that someday, we’d find the right solution to keep our secrets secret. Unfortunately, it isn’t just a technology problem. Security is mostly a people problem, and therefore we can’t ever solve it. People are always the weakest links in any chain protecting your data.

Now what? If we can’t protect our data (and to be very repetitious… we can’t), then how do we conduct business? The answer isn’t to stop using technology. That would make data less, not more, secure. One answer is to match the sensitivity of data against the available levels of security.

The objective is to make the level of effort necessary to break in, commensurate with the size of the prize. Gaining access to a list credit card numbers should be significantly more difficult than reading interoffice e-mail.

This assumes of course, there are some standards as to what employees can place in an e-mail. One need only read the newspapers to see how many companies are hauled on the carpet because of things placed in e-mail trashcans.

Quickly now, list and define, the levels of sensitivity assigned to your corporate data, and the corresponding levels of security, which protect those data categories from unauthorized access. (A correct answer will contribute up to 100 points, towards your next performance evaluation.)

Setting the levels of data sensitivity isn’t the responsibility of the IT department. This is a decision for auditors, lawyers and upper management. Not every bit of data falls into the “Nobody should ever read this, let’s shred it… and then burn it!” category.

While this example is at the extreme end of the sensitivity spectrum, some information (obviously) demands destruction, therefore we assign it the most secure level of security we can afford. Either that or destroy it.

At the other end of the spectrum, we find information with zero sensitivity. You could publish this information on the front page of a national newspaper with no adverse effects. This data is assigned no security.

It’s the data in middle of the spectrum that causes all the problems. Does e-mail fall into the same sensitivity category as a sales report? A marketing plan? The formula for Coca Cola or Viagra? A payroll listing?

Luckily for IT, they’re not (or at least shouldn’t be) responsible for placing all corporate data into the X sensitivity categories. This odious task falls to the clients, auditors and corporate legal eagles.

IT has a different type of categorization to perform. Given the existing IT budget and the nature of corporate data, what levels of security can they provide? How will each defined level of security, restrict usage of the data it protects? How must business processes change in order to bring a particular class of data under the protection of a particular security level?

Finally? How will IT educate the clients, auditors and lawyers as to what each security level provides, what they cost, and how it will change the way the organization manages its information. This education is vital. There’s no point in putting data into a particular category if you don’t know exactly what level of security will protect it.

One last note? While the levels of data sensitivity are fairly constant, the security levels require constant re-evaluation. Security is always a race, and “they” keep running when we sleep.

de Jager is a speaker & consultant. Contact him at, he’s just published a collection of mini-essays called ‘Truth Picks”, order it online at