Project Study: Data Classification – Example 1
Rally C-suite ownership with a business case for change
- Adoption of a single data classification guideline across the entire enterprise of 5 business units, 15 divisions, and 12,000 employees with operations in 130 global locations
- Data ownership is a new executive role established at level of the CEO and his direct reports
- Executive agreement: data is a critical business asset which is owned by the business leaders
- Executive agreement: data classification is a new habit that we will learn over time
- “You brought tact and skill to the process.” – EVP, general counsel and board director
- “Through Linda’s deep insight, counsel and flexible strategy we were able to create an approach that strengthens the view of IT as a business partner at the same time that we promote new cyber security habits.” – CISO
- “I can see the difference you made for the Information Security projects. Employees are engaged and clear about what is being asked of them. With passion and clarity, executives articulate their personal connection to what’s being asked of employees and its importance to the business. An excellent example is the CEO and COO talk at the all-employee communications meeting.” – HR Manager.
- CEO of $8B automotive industry manufacturer wanted data classification for many years but got little traction until the new Chief Information Security Officer (CISO) took ownership and invited us to help.
- Created a “Business Case for Change” to rally executive sponsorship and focus agreement among the CEO and 15 direct reports
- Facilitated discussion with CISO, the project team and business leaders to adopt a simplified classification guideline
- Data classification positioned as a necessary step to protect the business asset of data while emphasizing that asset protection is an expectation in the company code of ethics
- With numerous other initiatives underway, delivered a strategy to the C-suite which integrated with some efforts and created space to avoid dissonance with others
- All strategies, plans and communications matched the vision, mission, and existing culture
- Tightly integrated with project to deploy data classification technology across the enterprise
- Created “Stakeholder’s Journey” to hasten each executive’s understanding of the “what and why”
- Created “Leaders’ Packet” to answer bottom up questions of “who, how, and when” and detail on “what”
- Promoted employees confidence and promoted self-sufficiency with “Document Examples by Department”
- Streamlined classification schema made the learning curve easier and accelerated acceptance
- Acknowledged matrix reporting would often result in two data owners and provided instructions to prevent confusion
- Set expectation that the software would be quick to install but the habit of classifying data would take a while to develop
- Options for direct communication with the project allowed concerned individuals to get answers without involving supervisors –creating a safe place for employees at all levels who were uncomfortable with the learning curve.
- “If you knew which horses were thoroughbreds you wouldn’t have to guard the whole ranch.” Mark Halligan, Intellectual Property Trial Lawyer and Author on LinkedIn
- The #1 factor for project success is active and visible executive sponsorship – Prosci Research Foundation. Nine surveys 1998-2016
More Project Studies
Experience shows that focusing on Level 3+ results from the outset yields a much more powerful outcome while also making the project easier and less risky.
Leverage our lessons learned to make your project easier using the SecuriThink Data Classification Complexity Scale.
Managing across the enterprise for new security habits
Quick Start the project, cross-train client team, manage risk
23 Workstreams over 2 years deployed many technologies and policy changes in support of a “Defense In Depth” InfoSec strategy
Behavior change and more leverage from Security Education and Awareness (SEA)
Reduce technical support with appropriate employee engagement
Minimize business impact and technical support requirements
High security computer-based test centers