Tuesday, 22 November 2016

How to resolve the conflict between knowledge sharing and information security

Information security and knowledge management can conflict with each other in organisations, causing confusion, tension and risk. They don't have to. 

(Note in this blog post I am talking about internal knowledge sharing rather than knowledge sharing in a consortium of companies).

Image from wikimedia commons
I was consulting with a company in China a few years ago, which was hoping to develop a culture and practice of openly seeking and sharing knowledge. As I toured the office, I could see huge banners hung from every ceiling with large lettering, and this sort of prominent messaging is always an indicator of company culture, so I was keen to understand what messages were being conveyed. 

I asked my host what these said, and she replied "They say "Keep our information secret! Every employee is responsible for guarding our data!"" (and several other banners with the same sort of message).  
What were the chances of developing an open sharing culture with these messages hung from the ceiling in foot-high letters?

Information security (and indeed information secrecy) can come into conflict with Knowledge Management. On the one hand you want to guard against loss of your critical knowledge to the competition, and on the other you want to spread it around the organisation to empower the knowledge workers to meet your organisational objectives.

The three potential pitfalls are these:
  • You make knowledge sharing so open that the knowledge leaks out of the organisation;
  • You make information security so stringent that the default behaviour is to share nothing;
  • You try to promote knowledge sharing and information security together, and confuse everyone.

Resolving the tension

Firstly, clarify the confusion. The Information Security policy and the Knowledge Management policy must be consistent with each other, and both must be clearly communicated. There should be no contradiction.  Where there are issues of confidentiality within a single company (for example in a legal or consulting firm), then the policies both need to address what should be shared with whom, and what shouldn't. 

Secondly, put an impenetrable firewall around your Knowledge Management platform. Employees must be able to seek and easily find all relevant and useful knowledge, using a technology suite which is inaccessible to outsiders.  They should know that sharing knowledge in KM-space is safe and secure, and that the company (through good security and password administration) will keep it safe and secure. 

Thirdly educate the staff on their responsibilities. These are
  • To freely seek and share knowledge using the protected in-house system
  • Not to share any company confidential knowledge outside this protected system
Doing either or both of these will be rewarded; failure to do either or both will meet with sanction. 

Don't leave your staff in confusion.  This is an issue you need to clarify.  

1 comment:

Martin White said...

In principle I totally agree with your perspective. The problem is that most information security documents are developed by IT departments in line with ISO27001 which does not deal with the issues of defining protective marking for information with regard to confidentiality. Where there are internal protective marking policies these are usually based around document sharing and not information/knowledge sharing, and when social networks are implemented little attention is paid to information asymmetry - the difference between what you know and what you can share.

Blog Archive