Successful efforts must start with culture. Data handling and storage is something common to more or less every employee, so top down and siloed attempts to catalogue and control data will inevitably fail, if culture is ignored. 
Imagine you are in a different time and a different industry, which is generating the white heat of progress and offering the promise of a better future. It is 1956, and you have just taken on responsibility for handling radioactive material at Calder Hall, Britain’s biggest nuclear plant. The atom represents the high-tech, cheap-energy future. 

Sadly, there have been so many projects and deadlines that the organisation has given up keeping track of how every last piece of radioactive material is handled. Surely to track it all would be impossible anyway?
In either case, most of the “legacy” is kept in a huge man-made lake outside. Nobody really knows what is in there. Those who do flag the hazards and suggest protections are routinely ignored or worse. 
Enter your “comprehensive enterprise programme”. You’ve bought checklists with hundreds of predefined handling policies from outside experts. You’ve created a small team of dedicated personnel to audit and track every action for every employee on-site.
The problem is that the small team you have budgeted for can’t cover every risky activity on-site. Few of the productive processes at Calder Hall are similar to those in the checklists you have bought.
Every time a new project is spun up, the demands on the central cataloguing team become more onerous and less realistic. The word is out that the fissile material management team is just a power grab, which is ultimately stopping people from doing their jobs. The risks people are taking to get around the auditors are more dangerous than ever before.
The above analogy is stretched, but the message is clear. The benefits of the nuclear material are obvious, but the individuals who make up the organisation have not yet woken up to the terrifying risks. In 1956, the worst nuclear accident in British history was only a year away.
Help the individuals in your organisation understand the risks of holding data so that keeping track and applying appropriate protections becomes intuitive and common sense:
Every organisation is different. Make sure you have thought out and documented clearly the broad classifications of data your organisation will handle.
Invest in awareness training for every employee on the potential effects of the data they handle being leaked, damaged or lost. Track success with questionnaires to measure how well policy is understood.
Hold less data. If you don’t need to collect, hold or handle certain data, then don’t. Consider the risks and associated costs of holding data, as well as the benefits.
Be clear what the appropriate protections are for each classification of data, whether at rest, in transit or on a user’s endpoint device. Gather structured, periodic feedback from a sample of employees and systems to measure success.
Provide easy-to-access and simple tools employees can use to classify and protect data if they are unsure. Gather feedback on usability and track usage of such tools.
Call on established leaders’ help to support a culture of shared responsibility for tracking and monitoring personal data.
Take pushback as an opportunity to promote and clarify values, policy and expected behaviour. Explain why. People don’t like change or extra responsibility. Cultural change is always hard.
Hold every individual in the organisation responsible for tracking and protecting data in the manner appropriate to their role. Periodically review with a sample of employees to ensure responsibilities are understood and acted on.
The risk of identity theft, fraud and misuse of personal data has never been greater. However, any centralised effort to catalogue and control data is bound to fail without a data protection culture.
Don’t contain your creative employees in a poorly fitting control system they don’t understand. They will rebel against and circumvent it, and you might lose them. No quantity of externally imposed audit and process will fill the gap alone.
Only by starting with values and behaviour can an organisation hope to properly track and control the material it is responsible for. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Jim Gumbley is a security expert at global IT consultancy ThoughtWorks.

This was first published in November 2015

Leave a Reply