posted 2 Sep 2002 in Volume 6 Issue 1
Balancing knowledge exploitation and information security
Knowledge management and information security are closely related disciplines, to the extent that there is often a great deal of confusion as to where one ends and the other begins. Tim Travers and Steve Daniels clarify the relationship between these two facets of enterprise management, and discuss how they fit into a broader risk management framework.
Knowledge management and information security (IS) are specialist areas of enterprise management, each of which has gained increasing boardroom attention, focus and priority in recent years. But how different are the two disciplines? Where does IS end and KM begin, and vice versa? Is KM all about benefits with no risks, and IS all about risks, yet with no benefits? Do they both simply represent yet another strategy, yet another management project, yet more unwanted costs and yet still no measurable rewards? In short, where does the balance lie between the exploitation of knowledge for the financial benefit of the enterprise, and the security of the information assets making up that knowledge for the protection of the enterprise? [Note: throughout this article, the term ‘knowledge’ can invariably be replaced by ‘information’, and vice versa, as the subtle distinctions between each term are not important in the context of the scope of this article.]
Aligning KM and IS with business objectives
An overall KM strategy and each KM project must be aligned with the enterprise’s business objectives – all KM experts agree. An overall IS strategy and each IS project must be aligned with the enterprise’s business objectives – all IS experts agree. But each KM and IS strategy or project also involves IS or KM as a part of it. As such, an enterprise-wide language of, and framework for, risk management are essential.
Those risk management frameworks need to be effective. Global events of the last 12 months have graphically demonstrated how a single event can materially change, or even completely destroy, that which existed before, whether tangible assets, like people and buildings, or intangible assets, like brands and reputation. Risk management is a primary facet of good corporate governance.
Whether it is KM or IS (or document management, case management, customer relationship management, etc), each falls within the realm of corporate governance. Whether an enterprise is a listed company or sole trader, its management is about providing assurances to its stakeholders that the business is being run in the right way. Indeed, in certain sectors, risk analysis and management are a compulsory part of corporate governance. For example, within UK government, policy requires that a risk analysis and management process be carried out for all projects, a requirement that it embedded within BS 7799, the British Standard for Information Security Management.
UK public listed companies, and those seeking a public listing, also need to comply with the 1999 Turnbull Report, which prescribes undertaking an analysis of business risks as follows: “A company’s objectives, its internal organisation and the environment in which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound system of internal control therefore depends on a thorough and regular evaluation of the nature and extent of the risks to which it is exposed.”
Corporate governance overarches everything an enterprise does. In this context, profit can be seen as simply the reward for objective risk taking. Clearly, though, enterprises of all types are not currently doing enough at this level.
Corporate governance in practice
Corporate governance can be viewed in various ways. From an enterprise-wide view, it can be useful to examine corporate governance as a pyramid (see figure 1) with horizontal and vertical slices. Looking horizontally, there are three core slices from top to bottom:
- The board prescribes policies across various vertical sectors of the business;
- Senior and middle management set objectives to deliver on the policies;
- The enterprise’s employees carry out a series of measures, which meet the objectives, which meet the policies.
Figure 1 - enterprise-wide view of corporate governance
Looking vertically, the pyramid has any number of distinct (but always interlinked) sectors of management, which would certainly include KM and IS.
The pyramid also emphasises that corporate governance is about the communication of risks from ‘boardroom to storeroom’, and from the bottom up. So, for instance, corporate know-how comprises the core information assets of the business, which need to be secured. Although KM and IS are not the same thing, they are each on flip sides of the same coin. Their respective policies, objectives and measures need to correlate. Ultimately, this comes down to people in different parts of the business working alongside each other and co-operating to achieve common aims.
Defining risk management frameworks
Ideally, each distinct risk management framework should be part of the same family, with one high-level framework parent. If the derivative frameworks share a common thread, it will be much easier for a specific strategy or project to get top-level management attention and employee buy-in, and to achieve real business benefits. So how might we define the parent-level risk management framework? A common consensus as to a definition of the subject is extremely difficult to achieve.
A universal definition of KM, for example, is virtually impossible, as KM impacts upon different enterprises in very different ways. However, a broad view of KM has, at its foundation, the fact that:
- People (being representatives of an enterprise);
- Have clients (comprising distinct representative groups of people outside the enterprise);
- To whom they sell goods and services (made up of the enterprise’s corporate knowledge);
- As part of a whole series of separate matters (transactions, cases, projects, jobs, etc);
- Repeated cycles of which require continuous business development and marketing;
- All of which require the enterprise to sponsor the continuous education and training of its people.
The British Standards Institute, which recently published Knowledge Management: A Guide to Good Practice, refers to a definition taken from Royal Dutch/Shell’s experiences in the field: “The capabilities by which communities within an organisation capture the knowledge that is critical to them, constantly improve it and make it available in the most effective manner to those people who need it, so that they can exploit it creatively to add value as a normal part of their work.”
IS is perhaps easier to define, primarily because it invites a more methodical approach. It typically comprises the following components. First, identify the information assets of the enterprise and how they depend upon infrastructure assets. Second, identify the value of each of them in relation to the impacts of:
For example, in healthcare:
- Are the patient’s records accessible only by his GP and other authorised professionals (confidentiality)?
- Are the records on which a hospital consultant is making a critical patient diagnosis accurate, complete and up to date (integrity)?
- Where a patient is being treated out of hours, can the examining clinician gain access to the patient’s full medical history (availability and destruction)?
Third, identify the threats to, and vulnerabilities of, those assets. Fourth, calculate the measures of risk. Fifth, choose a set of controls, ie, countermeasures, to manage the risks, which are aligned with business objectives and sufficient to reduce the measure of risk to a level that is acceptable to the enterprise. Finally, implement the controls and, possibly, audit in accordance with best practice.
Unlike KM, IS has its own British Standard (BS 7799) and also its international equivalent (ISO 17799). BS 7799 provides for security controls across ten broad areas, and these provide a succinct summary of the range of IS:
- Security policy;
- Security organisation;
- Asset classification and control;
- Personnel security;
- Physical and environmental security;
- Communications and operations management;
- Access control;
- Systems development and maintenance;
- Business continuity management;
Examples and case studies
In the following four sub-sections, we seek to demonstrate how various typical components of KM, or examples of various KM projects, justify and can benefit from a more visible risk management approach to their conception, scoping, implementation and benchmarking. By way of observation, perhaps the term ‘risk management’ should be substituted with the more positive sounding ‘reward management’?
Intranets, extranets and e-commerce
The internet has created numerous new ways of doing business. Intranets and extranets have proved their value in setting up and developing communities of practice and in promoting collaboration among, for example, firms or sole practitioners within a similar business sector or network. Likewise, extranets may have been set up specifically to provide clients with transaction deal rooms or other case management facilities. Clients are constantly demanding added-value services from their providers. As Melissa Hardee, knowledge partner at CMS Cameron McKenna, says: “Law firms and clients will want to exploit technology to share information relating to work in progress, teams and major business issues. Clients may also want access to standard documentation etc. Extranets allow firms to tailor information to suit the particular needs of the client and, therefore, add value to the client relationship.”
Leading firms are often the first to embark on change and to integrate ways of working. Immediately, however, there are new risks that need to be managed:
- Has management properly recognised employees’ increasing dependency on the intranet as a source of information? For instance, if it suddenly became unavailable, would the enterprise be in a proportionally worse position than perhaps it was before the intranet existed?
- What damage to the enterprise would be caused by a major or minor breach of the service?
- What effect would this have on the enterprise’s reputation?
- Is information being provided on a need to know basis or can confidential information be inadvertently or deliberately disclosed?
- Is the enterprise publishing accurate information on its website?
- Are there adequately documented service level agreements between the service provider and any third parties, for example those providing web hosting, IT infrastructure or communications links, which support the services or goods being ordered and provided to the customer over the web?
- What systems and policies have been put in place to ensure the required level of availability and dependability of the service?
- How resilient are the networks on which the services operate, eg, can they cope with a surge of online traffic?
- Are members of a particular community both receiving and contributing to the system or only taking from it?
- Can users trust and be confident in the integrity of the data retrieved through searches?
Multi-site, multi-jurisdictional and multi-disciplinary enterprises
Enterprises that operate across different physical premises, and especially those that operate internally across jurisdictional boundaries or operate as multi-disciplinary practices, often advertise to their clients their business objective of providing a ‘seamless’ service of the ‘highest quality’. In certain sectors, such as professional services, the debate about multi-disciplinary practices (MDPs) still rages, but recent financial mismanagement scandals have strengthened the hand of regulators. However, in the context of both KM and IS, it is clear that the matrix of applicable risks has become more complicated. It is also more mission critical that these risks are managed successfully. The nature of such enterprises dictates that KM principles will be observed in spirit, but what about in practice? When enterprises reach a particular size and/or phase in their business history, the costs of maintaining the right infrastructure and preserving the culture and the historical strengths of the business increase and become harder to manage and measure. Risks to consider include:
- Is the enterprise complying with applicable legal and other regulatory requirements in each of the jurisdictions in which it is operating?
- Is the enterprise becoming dependent on fewer staff or on staff with certain high-value or location-specific skills?
- Is the impact of any failure still at a manageable level after all of the aggregation of data and removal of redundant equipment/facilities has taken place?
- Are the levels of risks to the information still acceptable when there are so many possible ‘villains’ involved?
Outsourcing of IT
Outsourcing of IT through application service providers is a perfect example of a situation in which IS and KM need to be integrated, and a balance struck between information security and knowledge exploitation. Your enterprise decides, for example, to do more business over the web. It uses a combination of external and internal IT resources to design, build and launch a new website, or a next-generation website. The business paradigm is now completely different. There are now new opportunities for IT failure. Points to consider include:
- Is the service a full, 24x7 offering?
- What countermeasures are in place to mitigate against the risk of down-time?
- What are the costs of supporting these countermeasures?
- Would it be more cost-effective to offer a more limited service?
- Is the workforce adequately trained to cope with changes in its working practices?
Business networks and networking
Modern business is about being part of networks of partners and associates. These networks may be formal structures or much looser arrangements, but in each case the participant enterprises have determined that they cannot ‘go it alone’, but rather need the support and reputation of the other participants in order to succeed with their own corporate objectives. Before knowledge can be exploited, of course, it needs to be created. An item of knowledge has a natural lifecycle and the management of that lifecycle can be broken down into the following seven components: identification; capture; classification; storage; dissemination; retrieval; and, exploitation. Networks naturally require people to exchange knowledge with each other for mutual advantage, ie, to exploit it. The British Standards Institute’s Knowledge Management: A Guide to Good Practice contains the following quote, which struck a chord with the writers of this article: “If you have a penny and I have a penny and we exchange pennies, you still have one penny and I still have one penny. But if you have an idea and I have an idea and we exchange ideas, you now have two ideas and I now have two ideas.” Some risks to bear in mind include:
- That one party will successfully exploit the two ideas to the detriment of the other. But the old axiom ‘nothing ventured, nothing gained’ remains highly relevant in this context. The business objective here should be for two parties to share the risks and, therefore, share the rewards of exploiting the ideas;
- How secure are the communication channels within the network? Who has access?
- What damage would be caused by confidential information getting into the wrong hands, or the integrity of information not being maintained?
- Are there clearly documented contracts between the various partners and associates in the network?
- Who owns the intellectual property in a relationship between two enterprises and further down the supply chain?
- What happens if certain partners and associates leave the network?
- Does the enterprise have a fall back strategy if certain partners or associates leave the network?
Top-level approach to risk management
One common approach to risk management is to measure risk as a function of the value of the information and other assets to be protected and the threats to those assets. Countermeasures can then be applied according to the identified risks:
- First, assets are valued by carrying out a business impact assessment. The risk analyst will interview key business personnel to determine which information assets are important to the business, and what the impact would be if there was a breach of security leading to loss of information confidentiality, integrity or availability;
- Next, the threats to the business assets (ie, the likelihood of them occurring) and the corresponding vulnerabilities (ie, the relevance of the threat) are assessed by interviewing a variety of personnel from various departments, such as end users, IT, HR and facilities. This involves consideration of all the appropriate threats and vulnerabilities, and utilises the interviewer’s security expertise about the nature of the threats and vulnerabilities that would apply in the given environment;
- The resulting risk scenario (ie, each instance of a threat and vulnerability leading to a business impact) is evaluated according to a specified algorithm, typically a matrix that values risk according to both business impact and its likelihood of occurring.
IS methodology and risk assessment tools
Insight Consulting has developed a methodology to assist enterprises in assessing their IS needs, which often includes assessment of their compliance with best practice and the specification of actions to achieve such status. The methodology is in turn based on Cramm, which is the UK government’s preferred risk assessment method. Cramm includes comprehensive risk assessment tools, which are fully compliant with best practice, including:
- Asset dependency modelling;
- Business impact assessment;
- Identifying and assessing threats and vulnerabilities;
- Assessing levels of risk;
- Identifying required and justified controls on the basis of the risk assessment.
Cramm’s risk assessment tools can be used to answer single questions, to look at enterprise units, processes, applications or systems, or to investigate complete infrastructure and entire enterprises. Users have the option of a rapid risk assessment tool or a full, more rigorous analysis.
Hybrid KM and IS methodology
Taking lessons learnt from the above examples and case studies and then extrapolating from Insight Consulting’s approach to risk management, we believe that if risk management frameworks were consistent in their language and methodologies right across the full range of management areas (ie, the vertical sectors in figure 1), their use could only increase the chances of successful management of those areas. Given also the proliferation in the marketplace of IT vendor solutions to managerial problems, additional financial benefits should directly accrue to those enterprises that utilise risk management tools and applications that can be adapted to the widest range of applicable risk/reward scenarios. A new hybrid risk management framework could perhaps be summarised by figure 2.
Figure 2 - hybrid KM and IS risk management framework
KM and IS strategies and individual projects fail through lack of boardroom attention, focus and priority, and a lack of grass-roots support. Perhaps this is because the language of profit and reward is currently too detached from the language of risk. Risk management is, in fact, profit and reward management. Since the pace of change is always increasing and the management of risk is becoming more complex, the corollary is that the methodologies for dealing with it are required to be more precise and more widely understood; otherwise corporate anarchy or divisions may ensue. If the appropriate methodologies are consistently understood and applied throughout an enterprise, without them becoming a burden (in other words, if they are embedded into the culture of an enterprise, whose members seamlessly and tacitly accept and support them), then that enterprise will be able to maintain an optimum balance between knowledge exploitation and information security.
Tim Travers is a solicitor and principal consultant at e-Legal Logistics. He can be contacted at email@example.com
Steve Daniels is managing principal and Cramm manager at Insight Consulting Limited. He can be contacted at firstname.lastname@example.org