What does the evidence tell us?

Let me start this post with a bit of ICT humour that I was just sent:

After having dug to a depth of 10 meters last year, Scottish scientists found traces of copper wire dating back 1000 years and came to the conclusion that their ancestors already had a telephone network more than 1000 years ago.

Not to be outdone by the Scots, in the weeks that followed, English scientists dug to a depth of 20 meters, and shortly after, headlines in the English newspapers read: 'English archaeologists have found traces of 2000 year old copper wire and have concluded that their ancestors already had an advanced high-tech communications network a thousand years earlier than the Scots..'

One week later, 'The Kerryman', a southwest Irish newsletter, reported the following: 'After digging as deep as 30 meters in peat bog near Tralee, Paddy O'Driscoll, a self taught archaeologist, reported that he found absolutely nothing. Paddy has therefore concluded that 3000 years ago Ireland had already gone wireless.

So what does the evidence really tell us. What of the emerging areas in information governance and information security is that of forensics. Back in 2000 (and beyond) most companies wanted to pretend that a security breach had never occurred. If the attack was conducted by an insider, it was more common for the individual (if they were caught) to be quietly asked to leave than it was for them to be taken to court. Of course, that just meant the problem moved elsewhere. Due to both the regulatory pressures of SB1386 and the like, and the maturing of the security industry, now we are far more likely to see companies taking efforts to investigate not only how an attack occurred and by whom, but also to gather data that might eventually be submitted as forensic in a subsequent legal proceeding.

There are a lot of catalysts for companies to search for evidence of the existence of information, and not just in the case of a cyber attack. Companies are now having to go to great lengths to retain and search their online (and offline) record stores. For example, in the case of a patent dispute or due diligence related to M&A activity and associated reviews by government competition watchdogs, companies may need to demonstrate that they have deeply examined their own records to prove whether they knew something, and if so when. Sometimes not finding something is as important as finding something.

I think we're just at the beginning of the maturity curve around information handling, governance, and information forensics. As an industry we have a lot to learn. Forensics is an area to watch in the coming years and one that we need to look at with a bigger picture in mind than simply that of investigating a cyber-attack after the fact.

PS. Thanks Panay for the joke