Michael D. Moberly September 2, 2008
A key and essential starting point, insofar as conceptualizing a company’s information asset protection policy, is to ensure it is framed in a manner that reflects the real goal-objective, that is, to sustain (protect, preserve) control, use, ownership, and value of knowledge-based, and largely intangible assets which include intellectual properties.
By framing the policy in this context, it gives recognition and credence (company-wide) to the economic fact – business reality that today, 65+% of most company’s value, sources of revenue, sustainability, and future wealth creation lie in – are directly linked to proprietary know how and information, intellectual property, competitive advantages, brand, reputation, goodwill, etc., which of course, are forms of intangible assets! And, if those assets’ control, use, ownership, and value are not sustained (protected, preserved), the alternative (consequence) is seldom favorable.
In too many instances, company information asset protection policies, practices, and procedures are (a.) too narrowly framed – categorized in sometimes confusing military (DoD oriented classification contexts, i.e., sensitive, confidential, secret, top secret, etc., (b.) are likely to be (heavily) influenced, if not substantially written by an IT unit which embeds the policy with an over-riding IT security orientation, and (c.) may have little or no recognition that proprietary information (i.e., a company’s trade secrets, IP, know how, competitive advantages, etc.) exist in formats or contexts other than electronic bits and bytes.
Information asset protection policies composed with a dominant IT orientation and absent a broader – inclusive intangible asset context result in minimizing, if not undermining, the larger and more important policy message, which is, all employees, not merely those in a company’s IT (security) unit, have an individual and collective responsibility (role, contribution) to safeguard their company’s proprietary information, regardless of the context or format that information exists!
Today, a company’s information asset protection policy should be a collaborative and cross-functional initiative, one that expressly conveys the reality that valuable, proprietary know how is not the exclusive domain of a single business unit, i.e., IT, R&D, legal, or manufacturing, etc. As most practitioners realize, proprietary and sensitive business information (that produces and delivers value, revenue, competitive advantages, brand integrity, goodwill, etc.) often percolates throughout a company and is not strictly confined or limited to what one can access through their laptop or desktop.
To be sure, an information security policy that infers, through a dominant IT orientation, that all valuable, important, and proprietary (company) information (a.) evolves from, (b.) is stored in, and/or (c.) is backed-up in the IT system, can inadvertently provide employees with the assumption that if the company’s IT system is proclaimed to be secure, then the company’s proprietary information is likewise secure; an assumption company’s literally can’t afford to convey.
For the unconvinced, try listening to cell phone conversations in hotel lobbies and airport lounges, or glance at the laptop screen of the person seated next to you. I’m sure you will find that all valuable proprietary information really doesn’t exist exclusively in electronic bits and bytes!