Information is only able to be leveraged as an asset if it is made as broadly available as possible. There is a temptation to restrict access to all information assets on a need-to-know basis. In some ways, this appears to be the lowest-risk approach, but it can often have exactly the reverse effect as it leaves critical data that should be leveraged invisible to decision makers.

Invisible data has a way of appearing at the most inopportune time during a crisis (often in the hands of a journalist or litigant in court). Invisible data is also unlikely to be used in all aspects of internal decision making, which can lead to accusations of negligence.

Organizations do, however, have an obligation to tightly guard a large amount of information. For example, personal data associated with clients, employees, and other stakeholders should be secure. There is also a responsibility to look after proprietary methods, recipes, and other intellectual property when the organization is significantly ahead of the market.

While databases and operating systems offer security models, they should not be relied on without a good understanding of the principles on which they work, limitations, and the proprietary nature of their implementation. Almost all security works on either or both of two approaches.

The first approach is to restrict access to a given location or individual resource. For instance, the application may only be available to certain staff. The challenge that system ...