Set security levels that make sense

- [Presenter] I have an opinion about setting security levels that is different from the common accepted wisdom. You'll often hear people talking about setting security at a "Need to know" Level. That is restricting documents and information, so that only the people who need to interact with it to do their specific jobs have access. When in doubt, they set levels higher rather than lower. Now I'm going to argue that this is unnecessary and counterproductive. I'll go further out on a limb, and say that it's often just a quick way of assigning security levels without going to the effort of understanding who uses the information and what they use it for. What should be happening is not restricting documents to "Need to know" Documents should be available to everyone who could benefit from the information. I'll give you a specific example from experience. In a global company, sales information on some products was locked down so that only people in the territory where it was sold had complete data. Incomplete data was available everywhere, but there wasn't an indication that there was more that you couldn't see. So a guy in Germany preparing a report using one set of data, a guy in China preparing the exact same report, but they were working off two different datasets. Neither one of them had the whole picture, and so both reports were wrong. When we talked about the category two type documents earlier, they included company information that was designed for internal use. And my stand here, is that this needs to be more broadly applied than I think is typical. Let's think about this sales information for a minute. What are the downsides to employees being able to see this? About the only thing that I can think of, is the chance of them leaking it outside the company but our awareness program and our hiring of people who have gone through security checks, is going to mitigate that, right? What are the consequences if the sales information gets out? It can expose to our competitors where we've sold certain products, which might entice them to try and go after that market. It could also have some impact on wall street. But if it's not visible, can people do their jobs correctly? My argument is that having correct and complete data internally gives the company the ability to make better decisions. And that outweighs the possible downsides. I personally feel that the best approach is to make the widest amount of information possible available to everyone internally, reserving to higher levels of security only information that exposes some kind of legal or regulatory risk, or which contains confidential planning or marketing information.