Risk Management and Information

Marco Casassa Mont has a blog post titled Risk Management for Unstructured Data in Enterprises where he states that he has been exploring  “the implications of ‘unstructured data'”.  Before we address the larger questions in his post let’s make proper distinctions.  Unstructured data does not exist by definition.  What people mean in their use of the oxymoron is data which uses different data structures. It is obvious that applications for employment, sms messages, e-mail, instant messaging, non-disclosure agreements are all organized differently, but organized none-the-less;  there is nothing unstructured about them.  Their form follows their logical function.   I believe the term gained popularity because it gave the analysts something new to write about, something new to tag on to “at the end of the day”, “that being said” or “it remains to be seen.”  I’m not sure who coined the phrase originally but they probably thought it a  profound insight.

Regardless of its marketing label or it’s form, we have what we had at the beginning, information.   Information that needs to be managed, stored, moved, shared, controlled and contained.  The principles for handling risks with information are well established.  It begins with data classification.  I have seen many intelligent people in large companies chase after the ephemera of “unstructured data” and lack a data classification program.  Without classifying our information, without placing a relative value on it,  we cannot properly prioritize or manage the risks.

Marco goes on to discuss his perception of current approaches and then states this:

I believe this is not enough. Solutions are required to help organizations (and decision makers) to: (1) fully understand the nature of the problem, based on their specific context and environment; (2) have a picture of their overall risk exposure; (3) make informed decisions on which approaches to follow, explain and predict the consequences and define appropriate policies; (3) explore trade-offs.

And if I understood him correctly, his perception of approaches is narrow in scope and his list of required solutions incomplete.  Managing risks to information is a defined problem domain whether that data is stored on hard drives or in filing cabinets, whether it is sent via fiber or courier.  It also one dimension among others where risks need to be controlled.

Marco closes his post with this question:

So far I have found no comprehensive approach/solution providing these features. Is anybody aware of any?

I’m not quite sure what he means by approach/solution or if he means in the public domain but assuming he means any comprehensive methodology for implementing enterprise wide risk management, we do and it covers more than identity and information security.  There are practices in a similiar vein in other consulting firms.  In closing if I have miscategorized anything in his post I encourage him to correct me.