Who’s sets objectives: Legal, Business lines or IT?


Middle of the road: legal counsel
A majority of organizations are relying on legal counsel to establish objectives for the integrity, availability and confidentiality of information.


However, for the 7-in-10 organizations using legal counsel to drive and manage these objectives, the track-record is mixed, with data-loss and theft rates ranging from 3 events per year to as many as 15 such events.

In contrast, organizations where business divisions establish and maintain these objectives are much more prone to data loss and theft: at rates of 16 or more customer data loss events each year.  In some cases, firms are suffering from many tens-of-such events.

Best performers
Organizations with the fewest loss or theft of sensitive customer data, at less than 3 such events each year, are relying on IT to establish and maintain objectives for information integrity, availability and confidentiality.

Stakeholders, Owners and Policy Managers
Truth-be-told, objectives for information integrity, availability and confidentiality differ, depending on the information, the business processes involved, risk-factors, IT systems and applications involved, controls that are in place to manage risk, and legal and regulatory demands among others. Complications such as Country and regional laws, cultures, third-party providers, and reporting requirements only add to the complexity in managing sensitive business information. 

While many organizations employ an “ownership” concept for IT assets and information based on budgets in business lines, this is not the same nor to be confused with managing policies and controls for managing risks related to the use of information and IT assets.

The evidence is clear: IT should be in charge of establishing and managing objectives for information integrity, availability and confidentiality, with input from all relevant stakeholders.

More information from latest research is available at:

Jim Hurley


One Response to “Who’s sets objectives: Legal, Business lines or IT?”

  1. Stephen Says:

    Gentlemen, with all due respect, none of the options are near appropriate.

    Keep in mind that when a data breach is identified and the alarms have gone off, it is the financial and security executives who feel the most pain (when the digital dust settles). They are the ones who have to pick up the forensic mess of Who? What? Where? When? How do we determine the cost of loss?

    This is where the CFO and Senior Security Officer of any SaaS operation are held accountable. And, the fall back question is beginning to point to the liability “elephant-in-the-room”. How much did this cost us?

    Another issue: Should we have purchased data (breach) insurance?

    SLA’s don’t cut it anymore.

    Eventually the stakeholder’s and collective objectives you mention do have a say as to IT policy, but the cost of loss is always where the decision buck stops…where data liability and the end result meet. IT policy should include the Chief Financial (insurance) Officer, because he is who writes the lack of coherent IT policy or the “IT loss” checks.

    IT policy and “risk of data loss” require cover.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: