How to make your data classification project easier

by | Sep 20, 2016

Executive Summary

Based on business transformation experience with several projects, the SecuriThink Data Classification Complexity Scale reflects some of our lessons learned in the field. It is offered to better inform your situation assessment and planning. Our goal is to help organizations experience a smoother transition to information security (InfoSec) readiness, to make projects less risky and easier.

Complexity Factors

While every project has mandates, there are always variables that can be adjusted to manage priorities. Knowing which factors introduce higher risk and which may be phased for easier integration by your business is a powerful way to ensure a successful project. Heuristics as shown in the chart can help identify where your project ranks high for unavoidable risk and offers options to identify where a margin of safety might be created.

A Tale of Two Implementations

A rating of 1-10 was given to each of the factors on the Complexity Scale to describe actual scenarios we encountered.  On the face of it, a project introducing data classification for the first time for the purpose of pro-actively protecting intellectual property might seem to be facing quite an uphill battle. It might appear that an easier project would be in a company that has a long-standing tradition of data classification in an industry where regulators pay a great deal of attention to proper data handling.

While the company culture for Scenario A might have had a steeper gradient to introduce completely new data classification habits, the comparison shows that many other factors were deliberately managed by the executive sponsors and the project team to ease the way. This was done by design, not accident.

Scenario B has the advantage that data classification is a long-standing tradition but, that same tradition left them with a detailed schema and complex InfoSec policies which were a source of constant confusion among employees. Adding technology brought that confusion forward without addressing it. As the analysis shows, many other factors further increased the challenge. Scenario B has 2-3 times as much complexity multiplying the efforts needed to engage a larger number of employees and business units before the client will likely realize a good return on their investment.

Business Trumps Technology

A scan of the complexity factors reveals that very little depends primarily on technology; most have been or should be structured according to business needs. While data is inherently a technology asset and a data classification project often means one or more new technologies are being deployed, the easiest path through a potential maze of project complexity is a good business case and a solid sponsorship coalition. Many research studies1 confirm this field experience.

A Game-changer and force multiplier for Infosec

SecuriThink strategies are a game-changer. We combine experience on similar projects with well-practiced distinctions from other disciplines. We have helped clients build their business case for change, their sponsorship coalition, and their enterprise rollout strategy; we can help you build yours.

 

We go beyond tools and technology to address what industry and InfoSec leaders say is the biggest untapped source of power: the mindset of your people and the culture of your organization. When your people are engaged and empowered, your culture becomes a force multiplier for security. We call this your Cultural Armour™. Once it’s in place, you’ll wonder why you waited.

 

 

References

1  Prosci Research Foundation. nine studies 1998-2016

 

More Field Notes

The Rapidly Changing Role of the CISO

The Rapidly Changing Role of the CISO

Actionable distinctions about CISO responsibilities and the skills to master them have been identified by executive recruiters. These distinctions go beyond staffing; they also describe behaviors that increase overall InfoSec maturity.

Secure the Perimeter

Secure the Perimeter

23 Workstreams over 2 years deployed many technologies and policy changes in support of a “Defense In Depth” InfoSec strategy