Is a Merger Between Information Security and Data Governance Imminent?

Industry Observers Note Increasing Signs of Convergence as Data Governance and Information Security Align for a Unified Approach.

As the realms of data governance and information security continue to evolve, industry experts are speculating about a potential merger between these traditionally distinct domains. While official announcements remain pending, there is growing consensus on the necessity of intertwining these disciplines for a more comprehensive and efficient strategy.

Historically, Data Governance has focused on the business, legal, and compliance aspects of data usage, while Information Security has concentrated on safeguarding data. This dichotomy, however, is proving increasingly untenable in the face of evolving challenges, prompting discussions about merging the two spheres.

Understanding the Belgian Ruling on IAB Europe's TCF

The concept of merging Data Governance and Information Security is not entirely novel. Gartner, in its Data Security Governance Model, and EDRM, which integrated stakeholders like Information Security, Privacy, Legal, and Risk, have previously proposed unified models. The convergence of Governance, Risk, and Compliance has long been an aspiration in the eGRC market. While some organisations have successfully integrated these functions, many still struggle, treating them as separate, siloed programs.

Information Security has historically commanded more attention in boardrooms, driven by high-profile security incidents. This attention has translated into comprehensive frameworks, industry standards, regulatory legislations, and a robust platform for Chief Information Security Officers (CISOs) to drive change.

In contrast, Data Governance has grappled with fragmentation in definition, organisation, development, and funding. Despite recognising the value of data governance, organisations find it challenging to strike a balance between information risk and value.

Drivers Behind the Merger

Risks and obligations linked to information act as primary drivers for the convergence of Data Governance and Information Security. Loss or compromise of specific data types not only carries legal and compliance consequences but also disrupts normal business operations. A lack of effective legal and compliance controls exacerbates information security and privacy risks.

Common drivers include the volume, velocity, mobility, and sensitivity of information, legal and compliance requirements complexity, hybrid technology and business environments, multinational governance models, and risks associated with business interruption.

Merging the Models: Information Risk Management

To create a cohesive construct, industry observers propose the term "Information Risk Management." This term emphasises the need to balance the value and use of information from a business perspective while ensuring appropriate governance and protection. By integrating processes, people, and solutions into a unified framework, organisations can address common requirements for both disciplines in-depth.

Conclusion: A Comprehensive Approach to Information Risk Management

While the official merger might be pending, the integration of data governance, information security, and privacy frameworks presents an opportunity for enterprises to leverage common investments and develop a more robust enterprise risk management strategy. The alignment fosters cross-functional capabilities, enabling security and privacy teams to better understand business requirements, and legal and compliance teams to gain insight into IT and Information Security, ultimately building a more integrated approach to information risk management.

A message from our sponsors, The Ideas Distillery: 

If you would like to look at how to implement an ISO 27001 information security management system, then simply contact us.

Or, if you want to see what's involved in more detail, then get a completely free, no obligation, totally tailored ISO Gap Analysis for your business (only available to UK businesses).