Security, Sharing, or Both?
WikiLeaks and the more recent leaks of the United States National Security Agency's classified PRISM program show us that our personal data and that of our organizations and governments are under siege. At the same time, we work in a world that requires innovation and sharing of information as the best innovation comes from the human combination of disparate knowledge . Some may respond to security concerns by restricting online collaboration, but we must not hamstring innovation in the name of data security. Instead, we need to give security its due, but through a solid mix of human, technical, and organizational practices that work with our innovation goals.
Value of Sharing
Nilofer Merchant highlights the value of sharing for innovation in her recent book, 11 Rules for Creating Value in the Social Era. Even in the high privacy world of medical information, sharing has value:
When you share, you can make something better for everyone....
Unlike most health-care policies that worry about privacy, PatientsLikeMe focuses on openness. It believes that sharing experiences and outcomes is good. Why? Because when patients share real-world data, collaboration on a global scale becomes possible. New treatments become possible. Most importantly, change becomes possible. And ultimately this leads to the greater purpose: speeding up the pace of research and fixing a broken health-care system.
In business organizations, sharing can be foundational for innovation. In 2010 P&G evolved its already stellar innovation practices to focus on increased sharing with outsiders ranging from government labs to small and medium-sized entrepreneurs and consortia .
I acknowledge that collaborative activities like document sharing have their risks. However, our goal should be to manage this tension between sharing and security by leveraging all of human, technical, and organizational systems rather than any unidimensional technological or process constraint. Fredrick Brooks, summarizing concerns of any “silver bullet” approach, notes, “[ t]here is no single development, in either technology or in management technique, that by itself promises even one order of magnitude improvement in productivity, in reliability, in simplicity.
Cost of Not Sharing
For companies to remain innovative, we cannot return to a world of R&D done in windowless buildings or with overly strict restrictions on how we share with our networks. We must avoid the urge to respond to threat with rigidity, even if it is a natural human tendency.
A colleague gave me an example of the downsides of restricting the free flow of information. He was serving as the chief knowledge officer of a large oil company just after the time of Enron’s meltdown. His goal of using email as a resource for knowledge sharing and innovation were in direct conflict with the company’s chief security officer’s goals of limiting the costs of legal discovery in the case of a lawsuit. The chief security officer won and email policy tools were used to automatically delete archived emails after a relatively short period. The chief knowledge officer was left with the task of supporting knowledge management in an organization where portions of project histories were deleted every day.
Build a Language of Sharing
The answer to our security challenges begins by learning a language of sharing, privacy, and security so that individuals and teams can create effective mixtures of human, technical, and organizational security at the ground level. We need a framework for thinking about how data gains in value when shared, and shared with the appropriate people. High security organizations have such a language with terms such as, “company proprietary,” “need to know,” “secret,” “top secret,” or “eyes only.” But what about, “share freely,” “share with the project” or “when in doubt, don’t send it out”?
Your organization may not be comfortable with Red Hat’s (a Linux and other open source software company) “ default to open” approach to sharing, but think of that as one end of a spectrum. Your organization will fit somewhere between “default to open” and labeling everything with top secret watermarks.
Start with a business model approach to sharing in your organization: How important is it to have collaboration and to what extent? Overestimate the value of sharing, especially in organizations with more millennials. Have project teams add a sharing model to their team charter discussions. Invite rank and file employees to sit on security governance committees so work practices will be represented in policy decisions. Be open, clear, and follow through on security policies and industry regulations. Cover everything from how social media fits, or doesn’t (beware deciding it doesn’t), to document and calendar sharing across organizational boundaries.
All Security is Human
There is no one policy that fits all organizations. There is, however, one certainty: all security is human at its core. The members of your organization, in partnership with your security experts, must be engaged in designing the right mix of human, technical, and organizational policy mechanisms to support securing sharing and innovation for the long run.
Most of us lock our front doors in urban areas. Some of us hire security companies. Kids are taught about “stranger danger.” Physical security is part of our daily lives. The answer to our security challenges begins by learning a language of sharing, privacy, and security so that individuals and teams can create effective mixtures of human, technical, and organizational security at the ground level. We need a common, well understood framework for engaging everyone in data security. The options and the language must match the organization and be part of daily organizational life.
For more multidimensional perspectives on data security, see the Harvard Business Review blog's Insight Center "Data Under Siege."