The Ponemon Institute (sorry, that’s just a little too close to “Pokemon”) recently concluded a study on behalf of Watchdox, the self-described “preferred document-centric security solution.” Key bullet points describing the study, which was based on a survey of 622 IT and security practitioners, include:
“71% percent of respondents say that controlling sensitive or confidential documents is more difficult than controlling records in databases.”
This is hardly a revelation. Most documents are created ad hoc, using MS Office or something similar, and stored wherever the author feels is appropriate. Records in a database are typically created and maintained via a purpose-built application, which is controlled by administrators.
“… 63 percent … do not believe they are effective at assigning privilege to employees, contractors and other insiders whose jobs or roles requires access to sensitive or confidential documents.”
Of course, Watchdox sells precisely the cure they need for this ailment! All they have to do is buy this wonderful product, and then start doing their jobs effectively! Note that this takes time to set up, because Watchdox needs to know who needs access to which documents under what circumstances. Note that these controls will take a lot of time to establish, and require the authors of these documents (if you can find them) to make a lot of decisions. Because it isn’t enough to place these controls on new documents; you’d need to retrofit them to the existing base of documents. And along the way, someone would need to review these decisions to ensure that they were being done uniformly. That’s a lot of time required from a lot of folks, many of whom are probably busy doing their regular jobs. And now some IT project manager is going to ask them to determine the appropriate security for every potentially sensitive document they ever created and stored on some file server?
Ever wonder why so many enterprise-level projects fail? Sometimes, it’s because someone decides to fix a problem owned by everyone, when not everyone has the time to devote to fix it. Let not your reach exceed your organization’s grasp.