In a recent post published on the Netweaver Identity Manager Weblog, the author has made a few comments about my post on “Risk Management for Unstructured Data in Enterprises” (well, actually the published URL to my post is apparently broken …).
Thanks for this input, in particular about three main points that I (tried to) summarise as it follows:
1) Meaning of unstructured data (or the fact that unstructured data does not exist by definition …)
2) Narrowness of perception of approaches and incompleteness of my list of required solutions
3) Availability of comprehensive methodology for implementing enterprise wide risk management
About point 1), this looks pretty much a philosophical discussion. No doubt that, at the end, we talk about information that has some sort of structure (well, an email has a header, a body with some texts and attachments; a document is made of paragraphs or lines of text; …). However, the (maybe over-hyped) “unstructured data” term is currently used to (a) identify specific types of information and (b) contrast it against classic “structured data” (e.g. information stored in RDBMS repositories, etc.). I think I will stick with this terminology …
Back to the key point, recent reports (including the Ponemon Institute’s survey on “Governance of Unstructured Data” and other market and research reports) indeed highlight that the management of unstructured data in enterprises is a raising concern for enterprises, both in terms of governance and risk management. I think this is what really matters – independently from the terminology.
No doubt that classification of data is an important point, especially if you ever manage to “find” where this “unstructured data” is, within a complex enterprise environment … I would say that, given the particular nature of “unstructured data”, a preliminary “data discovery” phase might be required, indeed followed by a classification and assessment of its value (considering though, that the value of some of this information might also come from aggregations and correlations …).
About point 2), by no means my post was meant to provide a definitive or comprehensive assessment and answer to the problem of information risk management or, more specifically, on “unstructured” information risk management. It was just a statement of some “desirable” properties and capabilities that I would like to see (and I know it would be of some help to customers …).
I am well aware of the complexity of the overall (security) “enterprise risk assessment and management” problem, its extent and the fact that, when assessing and managing (security) risks, many factors are involved, including business goals, IT, other assets, people, processes, awareness/education, etc.
(Security) risk assessment and management techniques/methodologies/frameworks and standards/etc. are indeed out there (e.g. ISO 27005/2700x, CoBIT, etc.). These “standards” provide guidelines and criteria to be carefully refined, grounded and contextualized in various “operational” realities, along with some good, common sense …
So, no doubt that there are already “comprehensive methodology for implementing enterprise wide risk management”, at least from a consulting perspective, but this was not my main point.
My main point was not so focused on these methodologies but rather on the need to better understand and possibly improve the process of exploring, explaining and predicting the consequences and impacts of strategic (policy) choices and decisions in enterprise contexts and environments, in particular when dealing with security matters.
An approach that we are currently exploring is based on modeling and simulation techniques in the security field, coupled with economic theory and social science. Please have a look at the HPL Technical Report on “Identity Analytics” that I mentioned a few times – to see what I mean, in more details (at least from an “IdM perspective”).
Specifically, one of my R&D interests is in “(semi-) automation” tools and solutions in this space that can indeed help and support professional and consulting services in their risk assessment & management activities. This includes providing decision support and “what-if analysis”, involving modeling and simulation, providing trade-off analysis, etc.
Given the complexity of this space, I deliberately focused on the aspect of “management of unstructured data” and the IdM perspective, well conscious this is just a part of the overall problem and space.
I hope I clarified this point.
About point 3), no doubt about this, as I mentioned above.
However the statement that “comprehensive methodology for implementing enterprise wide risk management is done” sounds (at least to me) sounds a little bit abstract to me …
It would be of some interest to the readers of this blog if this statement could be elaborated (specifically in the space of IdM and information management) along with providing some recommendations/input/directions (hopefully beyond having to hire a consulting company … :-)).
--- NOTE: my original HP blog can be found here ---
No comments:
Post a Comment