Freedom’s Just Another Word for Nothing Left to Lose

Jan. 27, 2009

I finally discovered the true meaning in those words penned by the brilliant songwriter Kris Kristofferson and belted out by blues legend Janis Joplin. I uncovered it accidently several years ago while pushing my way through the maze of storage populating the attic in our home. As I looked around, I suddenly realized that most of the boxes and shelves were crammed with things we would most likely never use again: school books from years of graduate education, clothes for climates we would no longer inhabit and equipment for activities we would never again pursue.

After spending a month fruitlessly trying to find a charity that would pick it all up, I finally resorted to calling the junk guy. I paid him a couple hundred bucks, then watched as he hauled away items potentially worth thousands to someone willing to invest the time putting it all on eBay. When it was all over, we had two small boxes of memories we wanted to keep, and my father’s old trunk from World War II. The attic is nearly empty now.

Soon, we were applying that thinking to other areas of our life. My wife and I were now empty-nesters as far as children were concerned, and it was time to continue to empty the nest of years of clutter and benign neglect. We got rid of the boat and even home furnishings. The luxury sedan was traded for a functional, cheap, fuel-efficient car. We gave away jewelry and objet d’art to family and friends, and re-gifted presents that would only be stuffed into corners to be ignored. Next went all the clothes that hadn’t been worn over the previous twelve months. It was invigorating.

As these items went down the driveway and out of our lives, it was as if a burden was being lifted. It was a burden we had slowly heaped on ourselves unaware. We had come to realize that all the items we possessed had to be maintained, insured, heated, cooled and protected. If you don’t own it, you don’t have to fret over it, either.

Soon, it will be the house itself. A modest condominium will enable us to divest ourselves of tools, ladders and lawnmowers. It will free us to simply lock the front door to pursue the travel and adventure we desire as we approach retirement. Freedom = nothing left to lose. Wow.

I have applied that process to my security consulting and teaching as well. Most (if not all) the data an organization maintains has to be maintained and secured. The more sensitive the data, the larger the potential risks, thus the larger security investment required. By rigorously reviewing the informational assets of an organization, it is possible to reduce the costs of security and maintenance by shedding unnecessary data assets.

This is especially true of governmental organizations. Government agencies obtain and use data to serve a legislated social purpose on behalf of the citizenry. Too often, data piles up and the owners are forced to buy more storage, management and retrieval technology. As this infrastructure grows, so does the risk of this data being exploited or abused.

Recently, I was privileged to spend a couple hours with a state’s chief information officer. He was bemoaning the impact of security and reporting legislation on his technology budget. The complexity of the state’s technology infrastructure was growing exponentially as the sheer amount of sensitive personal information continued to compound.

As we discussed the issue of what data truly needed to be maintained to fulfill the social requirements of the state, I asked him how he established the policies to determine when data was considered obsolete and needed to be purged from the systems his teams managed. He responded that this was a timely issue. He had been conducting meetings with state agencies, citizens’ groups and other interested parties. He explained that one of the most vocal constituencies was a group of lawyers representing the media.

He described the demands made by these lawyers for unfettered access to “public” data for the use of reporters. I said I could understand the need for the media to keep citizens informed of the inner workings of their government, but was surprised their demands would carry so much weight. He explained the state was being pressured to release often sensitive personal data simply because it was being maintained by the government, and was thus considered “public data.” Hence, it was required to be released to any citizen who asked for it. On the surface, this may make sense, but it did little to alleviate his concerns for properly managing information turned over by citizens for use by the governmental agencies.

As we parted, I asked him if I could keep in touch to see how this was playing out. He kindly gave me his card, and told me to call him any time. I walked away musing about who will ultimately determine how our personal information is used, and where it can be sent outside the controls of the agencies who collected it. Until we have sound government policy on the management and use of sensitive, personal data, we will not be free from the tyranny of our own technology. Less stuff = less stress.

John McCumber is a security and risk professional, and is the author of “Assessing and Managing Security Risk in IT Systems: A Structured Methodology,” from Auerbach Publications. If you have a comment or question for him, please e-mail John at: [email protected]