Relationship building: records management and cyber security
The development of technology in data use and storage is faster than it has ever been before. Because of this it is vital that records management and cyber security experts work closely together to ensure that information is handled responsibly and all staff understand what is required of them.
But how often is this close relationship actually the case? What can be done to help facilitate communication of good practice across the business?
To research these relationships, our Information Management Department went on a road trip to the Information and Records Management Society annual conference in Glasgow. We then dashed down to York for the Cyber Security Professionals conference.
At both events we ran an interactive workshop and asked attendees:
- How is the relationship between records management and cyber security experts in your organisation?
- What challenges do you have engaging end users (all staff) in good practice?
- What would you like to see from training and engagement experts to help?
While it’s not possible to make sweeping generalisations, we did obtain some examples of good practice that could be of use to other organisations.
The first question prompted a wide range of experiences, ranging from ‘excellent’ to ‘it’s them versus us’. Overall we found a majority of records management professionals were positive about their relationships with cyber security. At the cyber security workshop there was more of a feeling that records management was often marginalised, or not involved at an early enough stage in decision making. In some cases this was down to organisation not having a dedicated records management professional.
A common feature in organisations that reported a good relationship was a highly integrated approach to working. Often records managers would sit within the same departments, or even the same team, as IT security. Information risk decisions involved both sets of professionals from an early stage. Participants also reported that where senior management advocated closer working and encouraged line managers to communicate with one another relationships improved greatly.
Another important factor was working to engage end users. Some attendees felt that teams were getting too ‘hung up on technical solutions’ to manage and secure information. This was leading to a lack of engagement with the wider business, and an impression that other staff did not need to be concerned with security. While developments in records management and security technology should always play an important role, we found that teams who engaged more with end users also reported better relationships between records management and cyber security than those who relied on technology-based fixes.
In terms of challenges engaging end users, both sets of participants had similar concerns. There was an attitude that end users often overlooked the value of information to the organisation. Cyber Security experts were concerned that once information was digitised, staff no longer considered themselves responsible for it. Many organisations also reported that the size of their business, and having staff working at multiple sites, made engagement difficult; particularly where they were competing to be heard against a wide range of other training and communication initiatives.
In many organisations these challenges are being overcome with an imaginative range of techniques.
Both face to face and online training were popular ways of engaging staff. However many respondents stressed that training needed to be kept ‘bite sized’ and where possible contain real life case studies. The Information Commissioners Office produces reports on its investigations which often provide compelling case studies of poor records management.
Another solution was ongoing engagement through ‘just in time training’, that is training provided at the moment a certain skill is required, outside of annual refresher training. Poster campaigns, vlogs, intranet posts and campaigns highlighting the costs of data breaches were all mentioned.
Attendees also talked of the growing trend for businesses to use phishing campaigns on their staff (the organisation sends fake phishing emails to staff to see whether they respond; those who do are given a short lesson on phishing and what they need to look out for). Respondents said these were effective, but they emphasised the need to involve HR and possibly trade unions in any such campaign from the beginning.
How training experts can help
Professionals from both areas thought those responsible for training and engagement needed to facilitate sharing and communication between record management, cyber security and end users.
This can involve finding the case studies mentioned above, developing best practice frameworks and writing innovative training materials. Facilitation is also necessary to make sure that there is a consistent message coming from both professions; failure to coordinate messages can lead to confusion among staff. The role of training and engagement experts in communicating with senior management was also emphasised. In organisations where senior management had a good strategic overview of records management and cyber security, better relationships were often fostered.
A final point I found particularly interesting was in how communications describe end users. It was mentioned that ‘too often end users are referred to as though they are a problem that needs fixing’. When we are writing our training courses, blogs posts, videos, even research articles we need to make sure that the language we use doesn’t give staff this impression. We ought to communicate in a way that advises on best practice, but also listens to staff concerns and adapts to support them in their roles. Earlier this year the NCSC produced a great video on just this subject.
Overall the impression we got is that while individual experiences vary greatly there is a widespread understanding that close work between records management and cyber security is necessary. A strong relationship between these two parts of the business can greatly improve communication with end users and help develop a better culture across the organisation.
We’d like to thank our participants very much for contributing. We’ve got a lot of food for thought on how to conduct our training and engagement in the future.