strategic information management principles
TRANSCRIPT
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
1
strategic information managementa framework for privacy and security safeguards
Professor Kenneth P. MortensenCyber Risk & Information Security Conference16 June 2009Whitman School of ManagementSyracuse University
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
2
strategic information management
• What is Strategic?• What is Information?• What is Management?
• What does Strategic Information Management mean for the Enterprise?
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
3
what is strategic?
• Focuses on building a solid underlying structure for an enterprise put into effect through enterprise action.
• Understand the ultimate goals are for the enterprise.
• Discover the best methods to achieve those objectives.
• Put in place the resources to implement the methods and attain the goals.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
4
what is information?
• In literal etymological terms, information means to give form to something.
• In business terms, the word focuses on the ability to transmit knowledge by providing form to a message by casting it into a profile or pattern for communication (sharing).
• Definitions for information can be grouped roughly into quantitative and qualitative categories.– The qualitative definitions focus on the criteria which add
meaning to the message that is communicated– The quantitative definitions focus on measuring the
quantity of information units or the strength of its transmission.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
5
what is management?
• Management is the process of getting activities completed efficiently and effectively through the enterprise.
• The goal (function) of management is to get the best return on enterprise resources by getting things done efficiently.
• There are four basic pillars: plan, organize, direct, and monitor.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
6
the management
Information in the Enterprise
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
7
information management
• Old way of managing information.• Protect critical value information
from misuse, theft, loss, or disclosure.
• Ensure compliance with statutory and regulatory requirements.
• Certify the accuracy, integrity, and reliability of information.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
8
information management
• Siloed Management– Customer Data – Sales Management– Communications – IT Department– Intellectual Property – General Counsel– Employee Data – Human Resources– Research Information – R&D Department– Demographics – Marketing– Process Data – Operations– Financial Information – Accounting Dep’t
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
9
strategic information management
• Concepts– Information as an enterprise asset– Risk minimization approach– Cost and benefit analysis– Priority deconfliction– Data safeguards– Right info to the right people at the
right time
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
10
strategic information management
• To make it work:– Information represents the highest level
asset of any organization– 360° approach to dealing with information– Consideration of entire information
lifecycle– Comprehensive facilitation of
management
• Creates competitive advantage
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
11
information as an asset
• Information is a critical asset of the enterprise.
• All the information, not just the traditional highly-valued information like trade-secrets, financial data, or CRM info.
• Focus has been on developing compliance; chasing the regulations instead of leading the innovation.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
12
information as an asset
• Information value-add– Internal resources– Business intelligence– Market aggregation
• Personally Identifiable Information– Can no longer view in data silos– Linkable information recreates identity
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
13
information as an asset
• Strategic– Information as an enterprise resource
• Information– All the information of the enterprise.
• Management– Capture enterprise efficiency
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
14
risk minimization
• Risk and legal environment complex and diverse
• Global in scale with specific inconsistencies– Sector-based v. Individual-based– Operations-focused v. Need-focused
• Need wide ranging policy to capture not only data protection, but also data compliance
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
15
risk minimization
• Legal compliance does not minimize risk to the organization.
• Coordination of effort to address more than one facet of risk.
• Look to all functionalities of the enterprise to understand impact of the risks associated with the enterprise resource.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
16
risk minimization
• Strategic– Enterprise governance of information
• Information– All aspects of information in the
enterprise
• Management– De-confliction to ensure governance
efficiency
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
17
facilitate decision-making
• Break down barriers and let information spill over borders of the functions of the enterprise.
• Permit fulsome sharing of information across enterprise to provide wider view of actions and interactions.
• Reconcile competing priorities.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
18
facilitate decision-making
• Individualized decision-making through limited access to information isolates the decision-maker.
• Functional decisions made with a single set of information compromise enterprise decision-making.
• Fuller cost-benefit analysis is available.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
19
facilitate decision-making
• Strategic– Process-based use of information
• Information– “Unlimit” information supporting
decisions
• Management– Reconcile competing interests in
information
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
20
total quality management
Dr. Deming’s Model to Improve Business Operations
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
21
total quality management
• “What is a system? A system is a network of interdependent components that work together to try to accomplish the aim of the system. A system must have an aim. Without an aim, there is no system. The aim of the system must be clear to everyone in the system. The aim must include plans for the future. The aim is a value judgment.”
Dr. W. Edwards DemingThe New Economics for Industry, Government,
Education
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
22
Dr. W. Edwards Deming
• is best known as the person who taught Japan about quality and helped make “Made in Japan” a statement of quality with his theory of management after they were devastated by World War II.
• taught at New York University, assisted companies, and ran four-day seminars on quality management.
• was famous (or infamous) for his intensity and uncanny ability to go to the core of a problem instantly.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
23
tqm concepts
• Apply appropriate management principles to increase quality and production.
• Focus on continual improvement for the system and not the individual components.
• Total involvement by management and workers to improve.
• Enabled workforce enhances quality.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
24
fourteen principles
Underlying Principles for Strategic Information Management
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
25
tqm applied to strategic information management
• "The prevailing style of management must undergo transformation. A system cannot understand itself. The transformation requires a view from outside. The aim of this chapter is to provide an outside view—a lens—that I call a system of profound knowledge. It provides a map of theory by which to understand the organizations that we work in.”
Dr. W. Edwards Deming
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
26
tqm applied to strategic information management
• System of Profound Knowledge:– Appreciation of a system: understanding the
overall processes involving enterprise stakeholders;
– Knowledge of variation: the range and causes of variation in quality, and use of statistical sampling in measurements;
– Theory of knowledge: the concepts explaining knowledge and the limits of what can be known;
– Knowledge of psychology: concepts of human nature.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
27
tqm applied to strategic information management
• One need not be eminent in any part nor in all four parts in order to understand it and to apply the System of Profound Knowledge.
• The 14 points for management in industry, education, and government follow naturally as application of this outside knowledge, for transformation from the present style of … [information] management to one of optimization.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
28
14 principles - one
• Create constancy of purpose– Find the strategic connections for the
information held by the enterprise.– Work toward management of the
information in a consistent manner.– Replace short-term goal creation with
long-term goal planning
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
29
14 principles - two
• Adopt the new philosophy– Internal leadership must recognize the
value of treating and using the information in the enterprise as a critical asset.
– Ensure that the policies adopted at the top, must provide for effective and understandable implementation throughout the workforce.
– Leadership must lead the change.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
30
14 principles - three
• Cease dependence on audits to ensure compliance– Incorporate the management goals into
the processes that handle the information.
– Focus on information flow and not information stop-points
– Understand the uses of information across the enterprise.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
31
14 principles - four
• End the practice of using cost, expense, or price to determine benefit– Recognize the return on the investment
of managing information across the entire enterprise.
– Accept that short-term savings equal long-term costs.
– Factor in value to determine benefit.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
32
14 principles - five
• Improve constantly and forever– Continuously improve the processes
underlying the management of the information in the enterprise.
– Institute a change management structure to ensure implementation across the enterprise.
– Integration the management procedures with the operational needs of the enterprise.
– Reduce variation in the management
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
33
14 principles - six
• Institute constant training for the entire workforce– Ensure that all parts of the workforce
understand and comprehend the strategic model for the management of information in the enterprise.
– Do not limit training to periodic episodes, but integrate as part of change management and risk controls.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
34
14 principles - seven
• Institute leadership– The leadership of the enterprise must
embrace a culture of strategic information management
– The aim of enterprise leadership should be to help the workforce embed the concepts of strategic information management into the business model.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
35
14 principles - eight
• Drive out fear– Apprehension of punishment should not be
the incentive to ensure compliance or proper handling of the information in the enterprise.
– Recognition of the incorporation of core competencies into workforce processes .
– Problems represent failures in leadership – training and processes should be examined.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
36
14 principles - nine
• Break down barriers– Nothing can be accomplished until the
components of the enterprise relinquish ownership control.
– Focus on the stewardship of information for the enterprise.
– Incorporate all components in the decision-making process.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
37
14 principles - ten
• Eliminate slogans and targets– Recognize that leadership and the
building of a core competency within the enterprise drives the minimization of risk and control of cost.
– Facilitate improvement do not create adversarial relationships between management and workers; departments; or business and customers
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
38
14 principles - eleven
• Eliminate management by objective– Strategic implementation goes beyond
the tactical deployment of independent processes.
– Remove focus on standards, substitute leadership and the integration of priorities of the entire enterprise.
– Do not assume past goals represent current objectives.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
39
14 principles - twelve
• Remove barriers to pride in achievement– Provide opportunity to acknowledge the
accomplishments of the entire enterprise in the handling of information.
– Target investment to assist not just reward achievements that enhance the underlying processes by building the link between the information assets and change management.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
40
14 principles - thirteen
• Institute a vigorous program of education and self-improvement– Go beyond training, but provide for an
understanding of the criticality of information to the enterprise.
– Provide for cross-functional learning to enhance understanding of needs and uses of information throughout the enterprise.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
41
14 principles - fourteen
• Put everyone in the enterprise to work to accomplish the transformation– Building of a enterprise core
competency requires that all levels and functions of the enterprise work together toward the implementation.
– Leadership from all is required to instill the courage to break with tradition.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
42
impediments
What must be overcome for Strategic Information Management?
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
43
seven wastes (7 deadly sins)
• Lack of constancy of purpose. • Emphasis on short-term gains. • Evaluation by performance or audit on
periodic basis. • Mobility of management. • Running an enterprise on visible figures
alone. • Excessive security costs. • Excessive costs of management, fueled
by inconsistency in global regulatory structure.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
44
a lesser category of obstacles
• Neglecting long-range planning. • Relying on technology to solve
problems. • Seeking examples to follow rather
than developing solutions. • Excuses, such as "Our problems are
different."
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
45
conclusion
Where do we go from here?
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
46
strategic information management in practice
• Strategic management of information across the enterprise addresses not only the need to minimize the risk to the enterprise, but by establishing all the information as an enterprise resource, introducing effective efficiencies into the decision-making processes enhancing the return on the investment in information.
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
47
contact information
• Kenneth P. Mortensen, Esq.• Email: [email protected]• Phone: (202) 441-0204• Web: www.kenmortensen.com• Presentation:
www.strategicinfomgmt.com
Copyright © 1995-2009 Kenneth P. Mortensen, Esq.
48
resources
• Bruening, Sotto, Abrams, & Cate, Strategic Information Management, 7 Privacy & Security L. Rep. 1361 (September 15, 2008)
• W. Edwards Deming, Out of Crisis (1986).• W. Edwards Deming, The New Economics
for Industry, Government, Education (1993).• Mary Walton, The Deming Management
Method (1986).• Edward Baker, Scoring a Whole in One:
People in Enterprise Playing in Concert (1999).