Project Study: Data Classification – Example 2
Managing across the enterprise for new security habits
Results
- No organizational noise as data classification software was deployed across an entire enterprise of 5 business units, 15 divisions, and 12,000 employees with operations in 130 global locations
- “Data now feels like an asset. You’ve made data feel tangible and you’ve given me a way to say ‘No.’ I‘d never give away a piece of company property, not so much as a highlighter. Yet, in the past, if a former colleague asked for a copy of policy to benchmark, I had no clear basis for saying ‘No.’ Now, I can say it is classified… and I don’t have authority to release it. It’s a big win for protecting our assets.” – An employee
- “Linda is hardwired to sweat during the planning phase so we don’t bleed during implementation.” – CISO
- “The results you achieved are even more strongly positive in comparison to other initiatives. There is an art and a science to change; the results show you practice both.” – HR Manager
Situation
- After rallying executive support, our project had a clear mandate to implement data classification and the C-suite wanted to delegate. They wanted to implement quickly and with minimal disruption to business
- Data classification would be enforced before employees save a file in MS Word, Excel or PowerPoint
- Aggressive implementation schedule: testing (including pilot) 3-4 months; another 3-4 months for the rollout to 8,000 end points
- Fortune 300 manufacturer with project impact from the C-suite to union employees on the shop floor
Project Right-Sizing
- Created and led implementation of the organizational transformation plan start to finish
- With numerous other change initiatives underway, deliberate choices were made to integrate with some and create space to avoid dissonance with others
- Prepared employees at all levels by leveraging the phishing education campaign to increase understanding of the urgency and importance of adding protection With an executive data owner in each functional area and each business unit, employees were reassured the change would not interfere with core responsibilities
- Concierge support for the executive leadership team guided top down communications
- Bottom up communications directed front line employees to their supervisor; supervisors were supported top down as well as directly from the project
- Leveraged existing internal resources in ways not previously experienced in this enterprise
- Focus on newly created or edited documents; data owners could determine disposition of older files
- Project focused on protecting company assets; deployed parallel to other required marking already going on such as federal contract requirements or attorney-client privilege documents
- Phased implementation of Data Leakage Prevention (DLP) started in monitor mode to allow time for employees’ learning curve and adapting processes to “make it work for us”
- With business need and proper authorization, visual marking could be eliminated however metadata remained in the file to support protecting the digital asset
Project Acceleration
- Positioned pilot users to be “advance scouts” and “guides” to support and help the rest of their department
- Advised employees “when in doubt” click on middle classification level “so you can keep working then talk with your supervisor at the earliest opportunity.”
- Bold Move: CEO and COO set a deadline after which they would not read unmarked documents
- Bottom up communications complimented top down from executives; enabling an aggressive software deployment schedule and supporting deeper engagement by employees on a “pull vs. push” basis that accelerated behavior change
- As part of executive alignment phase, requested and received authorization to deploy software randomly to select pilot participants if enough were not designated by supervisors, eliminating a common problem for many IT projects in this organization and greatly accelerating the timetable
- “Employee Engagement Plan” ensured faster adoption, increased utilization and better classification accuracy
Industry Buzz
- “The network perimeter has become porous due to the widespread use of data-sharing tools…Insider breaches, therefore, are not just a technological issue but a human and cultural problem…Data security starts with the individual user. At the level of creation and initial exchange, safety can be built right in by using classification. This practice clearly tags information so that it follows security protocol, and it continually keeps security top of mind for employees as they classify every piece of data they handle. It’s a win-win for keeping digital assets safe.” Stephane Charbonneau, CTO, TITUS in Security from the Ground Up: Ground Up: The Need for Data Classification. Information Security Magazine. 2016