Every time there is a report of some major theft of intellectual capital, all eyes invariably turn back to the IT department. And the question that usually gets asked is that with all the money we spend on security, how could this happen?
The latest company asking this question is Ford Motor Co., which is trying to figure out how a former employee allegedly took a large amount of the company's intellectual capital with him when he jumped ship to join a rival Chinese car manufacturing company. After all, just about every major company has invested in all kinds of security coupled with data loss prevention (DLP) software to prevent just this kind of thing.
The problem is that the way we approach data security these days is largely defined by the way IT sees the world, which is through layers of horizontal products and technologies. What IT doesn't really have a handle on is what specific individuals have access to what kind of information because they are associated with a specific business process or task. The end result is that IT can set policies that track aberrations in the usage of specific products and technologies, but it has no idea that if a certain file is, for example, open at midnight, chances are that the file in question shouldn't be accessed outside of normal business hours, and certainly not by the person currently accessing it.
Of course, it's doubtful we'll ever be able to lock down everything. But right now we don't even know what the real risks are. We talk about the need for more identity governance, but in order to really do that, someone from the business side has to be willing to sit down with IT to determine a profile of who has access to what. Otherwise, the divide between IT and the business is only going to become a channel via which the organization's most important information is going to routinely escape.
The next time there's a major data breach, business users shouldn't be looking to point the finger at IT. The real issue is that the business side doesn't want to take real responsibility for how data is accessed and used. We all know that every time one of these breaches happens, it's because there never was a set of business policies put in place to limit who can access what, when, and how. Once you answer those questions, chances are pretty good you'll never then have to ask about why something happened in the first place.