Manage Learn to apply best practices and optimize your operations.

Deleting information isn't effective for information risk management

Many companies try to get a handle on information risk management by indiscriminately getting rid of information. That's a mistake.

With all the news about hackers and high-profile information security breaches, companies no longer have the luxury...

of being laissez-faire about keeping information safe. Unfortunately, some think that getting rid of information as quickly as possible is a bona fide information governance management "strategy."

Not so. An organization has a responsibility to protect all the information that it keeps, whether that information is one, six or 120 months old. Using the early disposition of information as a defense mechanism against hackers is at best unethical and at worst inviting disaster. Ethically speaking, once an organization commits to collecting information, it is charged with protecting that information for the duration of its storage.

Knee-jerk reactions to information risk

The fear that keeping information poses security risks clouds the proper view of information protection.

Unfortunately, the fear that keeping information poses security risks clouds the proper view of information protection. Many companies worry that in the event of information leaks or hacks, keeping information translates to bigger leaks and more damaging hacks. Their first reaction is to reduce the amount of information being kept with the view that keeping more information increases protection costs. That is a faulty understanding of security.

A system costs the same to protect regardless of the volume of information. As volume grows, performance-related issues may crop up, rather than security-related ones. Authentication, encryption, firewalls and intrusion detection all protect and monitor the same way regardless of volume. Controlling access and monitoring for abnormal behavior is still important and is a factor of the volume of people and systems being protected, not the information in the systems.

Many viewed the Sony Entertainment hack as proof that Sony should have deleted the emails that had been hacked. The problem with that argument is that many of the most embarrassing emails were only one to two months old. Automatically deleting emails after such a short duration is dangerous, especially if it is being done regardless of the content of the email.

Planning for the future

There's no doubt that information risk management is tough. It is impossible to know with certainty what information captured today will have value tomorrow. Invoices and contracts are easy enough to identify, but what about that email about the weekly status meeting or cookies in the kitchen? I definitely care about marketing strategies and sales numbers over years, but do I care exactly who made a purchase three years later beyond basic demographics?

In response, many companies take an all-or-nothing approach to storing information. While it's true that not all data relationships are required to be kept forever, it is often difficult to remove only one-half of a relationship between two pieces of information. Too many organizations respond to this dilemma by thinking they must decide if they will keep everything or nothing because it's difficult to determine whether there might be value in the information years before they know for sure. Yet, it's important to keep in mind that once information is removed, or once the relationships that provide context are deleted, they are lost forever.

While organizations struggle with the answers to these questions, the protection of that information should take priority. Knowing that any information will be kept for longer than a few days places the security of that information front and center. Security breaches will only increase in frequency. Organizations need to protect all information and not rely on disposing of information for protection.

The news is not all doom and gloom, however. For various reasons, content analytics are becoming an enterprise must-have. One reason is because analytics can help solve the all-or-nothing information storage dilemma by providing an assessment of information's value. And as organizations learn different methods for extracting value from content, they can change their approach to managing and protecting content and do away with the faulty approaches to information risk management.

Records management has had two driving directives for decades: to preserve information and properly dispose of it when it is no longer required. As the risk of legal action increased over the years, the industry became focused on defensible disposition and worked to be more diligent about disposing records. With the advent of analytics, which is breathing new life into older information, organizations are shifting from having to justify keeping information to having to justify deleting information.

Analytics and the penny

How much is a penny worth to you? Probably not much. A few hundred pennies begin to have value if you dump them into a change machine. Several million pennies add up to real value. Only in the accumulation of pennies can their value be realized.

Information works the same way. Individually, a piece of information has a fixed value. The older that information is, the less it is worth. Traditionally, each piece of information depreciated in value until it no longer had value commensurate with the risk and cost of maintaining that information.

This is because, unlike the penny, there has been no way to extract much value from large volumes of information. Data warehouses made some progress, but they took a lot of work to set up, were limited in size, and did nothing to help extract value from information that was not highly structured.

Content analytics is changing that. As organizations learn different methods for extracting value from content, there is a realization that the organization must also change its approach to managing and protecting content.

Next Steps

Information governance, e-discovery two sides of same coin

How to create an information governance strategy

Five rules of content governance

This was last published in December 2015

Dig Deeper on Information governance management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What practices are most important to your information risk management strategy?
Cancel
This article raises some good points. We are not removing data from production environments, but we are "cleansing" or straight deleting data from lower environments, with the idea being that fewer employees will have access to sensitive data, thus lessening the security risk. 
Cancel

-ADS BY GOOGLE

SearchBusinessAnalytics

SearchDataManagement

SearchManufacturingERP

SearchOracle

SearchSAP

SearchSQLServer

Close