In a recent Ponemon Research Report, “Understanding the Value of Information Assets,” 2,827 respondents from a variety of sectors answered questions about how they prioritize and secure the information assets they protect. The study covered a range of different types of data, including “research and design (R&D) documents, computer source code, merger and acquisition (M&A) documents and customer contracts.” The findings highlight how different organizations–and different departments within organizations–perceive different data and its worth.
According to Ponemon, the study was intended to “assist respondents in determining the value of their organizations’ information assets.” As the study emphasizes, how data is valued can have a significant impact on the safeguards put in place to protect it, and how secure an organization is against outside threats. The study shows we may not always have an accurate understanding of which data should be prioritized, and different departments might disagree about which information is the most important to protect.
Findings from the report provide examples of this discrepancy:
IT security teams value R&D documents 50% less than how the business line values it — $306,545 versus $704,619. This can lead to insufficient investment in protection and backup investments.
In comparison with the Accounting and Finance function, IT Security significantly underestimates the cost of financial report leakage — $303,182 versus $131,570. Consequently, they may not invest enough to protect financial reports from leakage, potentially leading to an expensive breach.
IT security values monthly salary lists of employees more than HR does. Because IT security may be overly focused on PII, this may reduce the investment in protecting more expensive data types such as product designs, pricing or financial data.
These findings converge on a single point: IT departments don’t necessarily assign the same value to information as the departments in charge of that data. As the findings note, because IT is largely responsible for the measures that protect data, this discrepancy could cause major security problems. Companies could be left wide open to breach, simply because certain information assets aren’t being allotted the resources or protection it needs.
The solution? Strong leadership. IT may have the upper hand on other departments when it comes to prioritizing data protection, but they shouldn’t have the final say. What’s more, they may not have the greatest visibility when it comes to the data other departments possess, or what that data is worth in a broader business context. But company leaders–supervisors, executives, the C-Suite–do have that power, and that visibility. They are the ones who can and should step in and take stock of all data and the worth assigned to it in each department. It should fall to leadership to forge a framework so the organization understands the worth of the company’s critical assets.
But what if leaders themselves don’t fully understand how to differentiate data sets and establish the value of data accordingly? Targeted training, such as those found in GLS’ Leading a Secure Organization courses, can help explain how to prioritize information assets, the potential risks of mis-prioritization, and how to maintain overall security. With that information, organizational leaders can direct the efforts that ensure valuable data is properly protected.