The idea of getting strategic around information is hardly new. 

Records managers, IT enterprise content management (ECM) owners, information governance professionals, e-discovery owners — literally everyone involved in managing unstructured content — wants to stop being tactical and “get strategic” these days. So it's not surprising that information security professionals would join the fray. 

But, for a number of critical reasons, I feel that information security professionals are better placed to help their organizations realize the benefits of improved information management — if they can get strategic about how they do their jobs.

So how do information security professionals get strategic about their jobs? 

Gain Authority

Without consensus that you can manage information to address enterprise risk, you’re dead in the water. So the first thing you need to do is secure agreement across the enterprise that Information Security can purge redundant, obsolete, and transitory data, can take control of orphaned data (i.e., data that's been untouched for X years), can purge junk data (e.g., iTunes libraries, backed up hard drives, etc.), and can remediate access to sensitive data — all within the overall framework of records management compliance and e-discovery.

Without this, all you can do is protect the borders — try to keep bad actors out by building a stronger moat — which since the Target, Home Depot, Anthem and CHS breaches, seems less possible.

Get Your House In Order

The question of a breach is not if but when, so ignore behind the firewall information lifecycle management at your peril. What sensitive data you have and where it's located is as (if not more) important than how well you secure the perimeter to keep bad actors out.

The difference between a Target and Home Depot breach is in: 1) how well you’ve managed the data lifecycle leading up to the breach and 2) what policies and procedures you have in place to govern how business users work with content and data day to day.

Deliver Business Value

No doubt about it, CISOs keep CXOs out of jail, and most of the time, those same CXOs are willing to pay for that service. But if you can’t deliver more than that over the long haul you’ll face increasing resistance as other, more positive business initiatives compete for leadership attention and funding.

Find other sources of business value for your information security efforts, e.g., operational efficiencies gained through reduced volume of junk content or reduced application costs through decommissioning legacy apps.

No Orange Jumpsuits

At the end of the day, the strong mandate most information security leaders enjoy has everything to do with keeping their bosses out of orange jumpsuits. So whatever information governance or compliance initiatives you might be passionate about, know that your leadership is passionate about not winding up in jail … or at least not winding up in front of DOJ, the state legislature or other high profile commissions who will call them out of any number of reasonable decisions that, in the light of day, seem less than reasonable. 

Never forget who ultimately pays your bills and supports your efforts.

It Tolls For Thee

If you’re a traditional information management professional, this post should give you pause. After all, you’ve had the conch shell for at least 10 years, and yet more often than not you still struggle to realize business value beyond the very basics delivered by information management.

So it’s now time to put up or shut up — you own information management, what are you going to do with it?

The Final Word

Although there isn't a one size fits all solution out there, hopefully this post gives you enough raw materials to make progress against your plans back at your desks. And if you’re a more tactical CISO (e.g., have a strong IT development background or come out of corporate compliance) rather than a more strategic CISO (e.g., come out of the business), hopefully this post gives you some sense of what’s going to be expected of you in the brave new world where information security and information management converge.