People Centric Information Security – Part III

1

The importance of information streams

And why they are key to determine information value

Information streams are essential to realize information security. In my previous blog I explained why it is important to perceive information security as an aspect of quality. I also talked about the importance of information streams. In this blog I will explain what I mean with an ‘information stream’ and why this is so crucial to information security.

Introduction

Let me begin with the definition of information: “Information is an abstract concept that refers to that which has the power to inform.”[1]

In my experience organizations tend to start with technology when talking about information security. The correct construction of technology is (and will always be) a very important aspect to achieve proper cyber security, an important aspect of information security. With construction I mean development, implementation, configuration, and maintenance. To design the best technical environment, it is key to start with information. This is why it is so important to start with an organization’s business functions instead of technology. Your business functions reflect the way people process information working for, or with, your organization to realize goals and objectives. To explain this in relation to existing literature; it’s about people – process – technology.

Now, to explain what information streams are, I need to add the following three aspects:

1. Organization

2. Information

3. Business functions

Here’s why:

The goals and objectives of an ‘organization’ determine what knowledge and skills ‘people’ must possess to ‘process’ the ‘information’ of the organization in order to achieve them. Adding ‘technology’ helps to achieve goals and objectives, because it supports the organization and its people to process information more effectively and efficiently (digitization).

This processing of information is done by various people, with various sets of knowledge and skills, together realizing ‘business functions’ for the progress of business processes. An organization organizes its people in departments, which they make responsible to perform the tasks needed to realize business functions. These business functions generate information streams, necessary for the progress of business processes.

I’ve visualized this in Figure 1:

Setting business functions as the starting point enables us to set people and information at the center of information security. This explains how to best design the ‘means’ to support the ‘end’:

1. Means: the technology that supports the organization.
2. End: meet people needs, with the right information security measures to balance workability and security.

The first point is about realizing cyber security. The second point is about realizing information security. As cyber security is part of information security, we need to first understand the second part. Only then we are able to realize the first part.

Working like this will best safeguard the accomplishment of the organization’s goals and objectives. It will embed information security in the way people work.

Securing Information Streams: A New Approach

The challenge is to find the best way to capture the information streams within business functions. The goal is to do this in such a way that the information streams provide tangible context. Context which allows organizations to add ‘just enough’ security measures. The information streams within business functions now become the primary object to secure.

Information Streams: What are they and what do they look like?

An information stream (you can also read information flow) is part of a business process. An information stream is limited to a specific department, or business function within that department.

To help explain and visualize this, I illustrated a simplified example in figure 2. It is a visualization of the Human Resources (HR) process to recruit a new salesperson:

Situation

The sales department needs extra resources (people). This need arose by a business goal set by senior management: Realize higher revenue. The new salesperson has to have the right knowledge, skills, experience and expertise. She or he must be able to quickly start selling solutions of the organization.

Explanation figure 2

The process owner is HR. This department is responsible for the recruitment process (including the policies, procedures, controls, and work instructions). HR expects everyone to follow this process when the need for new people rises.

HR is however not responsible to decide who best fits the role and responsibilities for the vacancy. That responsibility lies (in this example) with the Sales department. And the responsibility for the salary house is also not the responsibility of the HR department. The Finance department sets the salary house and has it approved by senior management. There needs to be a collaboration between all these entities. Is the organization prepared to deviate from the salary house for a certain candidate? Does senior management accept this deviation?

The Translation to Information Security

Now for the process there are several ways to look at it from an information security point of view. HR is the process owner, so they have an important say regarding the execution of the process. At the same time, there are many different business functions (Sales, Finance, HR, Senior Management) involved in the process. They are expected to perform their specific activity for progress of the recruitment process. The information streams represent the parts of the process that go from one business function to the next. These are necessary because they create the input to achieve the goal of the process.

With different people and different (types of) information. The HRM department is not responsible for all information. Let me elaborate on this:

The sales department is responsible to deliver the information regarding the knowledge and expertise it requires for the role. And the sales department also decides the value of this information. So that means that they have to determine:

1. Who is allowed to access this information?
2. What happens if this information gets in the wrong hands?
3. How important is it that this information is correct?

The outcome to these questions will differ per department. The sales department requires its information to be public. If you don’t publish the requirements, there will be no applicants. And it is impossible to realize the business goal.

The Translation to Risk

What the organization is willing to pay to the new salesperson, is not public. It is possible that the organization is willing to pay more to a new salesperson. If the right person comes along, a deviation from the salary house might be justifiable. But if your existing salesforce gets wind of it, this will most likely demotivate them. If you decide not to increase their salary accordingly of course. Many organizations consider a demotivated workforce as a serious risk. Commercial organizations often qualify the demotivation of their sales as a high enterprise risk. The finance department is responsible for the processed financial information. The finance department is, in many organizations, also responsible for managing (enterprise) risk.

Mitigating the Risk

If the organization decides to pay the new salesperson more than usual, this might become a problem. Especially when people from the salesforce get access to the salary details.

There are a couple of ways to avoid this:

1. Make sure only authorized people can access this information in the salary application. And make sure that they don’t talk about this.
2. Tell the new salesperson not to discuss the height of the salary with his/her new colleagues.
3. Of course, the more sustainable thing to do is to accept that there is a change in the market and change the salary house to pay salespeople more equally. This will have them become more loyal to your organization; thus, it is more sustainable.

Realizing Compliance

Regarding the three points in the previous paragraph, compliance is realized as following:

1. IT needs to set the right access rights to the salary application. Salary administrators need to have terms in their contract regarding keeping salary information confidential.
2. The new salesperson also needs to have this term be part of his/her contract.
3. Start meetings with the organizations Works Council and update the salary house.

Realizing Compliance Regarding Privacy/Personal Identifiable Information (PII)

Now it also becomes clear where in the process PII becomes relevant. In the beginning of the process, there is no PII involved. Only when candidates start sharing their resumes, PII starts to become part of the process. And that’s where data protection officers and privacy officers need to be involved (if your organization needs to comply to privacy legislation).

Translation to Information Governance, Quality management, Enterprise Architecture, and IT

This example shows how, within the same process, there are different requirements for information security. And how different people, or entities, within the same process, are responsible for that information. It shows how risk relates to the process from different angles. Understanding this enables you to determine responsibility. The responsible person needs to determine the requirements towards his/her processed information. This makes it possible to safeguard (or increase) quality and translate the requirements to set just right measures in the underlying IT environment. This also helps to build secure enterprise architectures with information security as an important part of the architectural foundation.

This is why information governance is very important in information security. The right people need to first capture their information streams. They need to capture these and manage them in the IBOM[2], the Information Stream Bill of Materials. And they need to do this for all business function(s) they are responsible for as information owners. This is the only way they can determine the value of the information within these streams. And this input is essential for the realization of information security throughout all business processes.

Conclusion

To realize business goals and at the same time manage information security, we need to start managing information streams. Create the IBOM, the Information Stream Bill of Materials. This will help enhance business processes and the way we manage quality, information security, risk, compliance, architectures, and IT.

I say: Information streams for president!

Stay Tuned for Upcoming Blogs!

In my next blog I explain how information streams relate to information security. I will show the information security process; the process that makes it possible to implement information security in context of a specific organization. I will also illustrate from which point cyber security (and technology as a whole) is part of the information security process.

In later blogs I will zoom in on the different aspects in the information security process and how to create an ‘Information Security Management Center’ (ISMC). A center that has a holistic view and can best steer the information security process.

Footnote

[1] Source: Wikipedia

[2] Link to a blog about the IBOM from the Dutch National Cyber Security Center (NCSC): https://www.ncsc.nl/actueel/weblog/weblog/2022/sbom-heeft-ibom-nodig-om-echt-effectief-te-zijn