Welcome to part four in our blog series on The Definitive Guide to Data Classification. The first three posts in the series have covered the fundamentals of data classification, how it can drive your information security strategy, and how to best choose the right classification method for your business. In this installment we offer tips for getting organizational buy-in for a data classification program.
Tip 1: Create Your Data Classification Team
Data classification decisions can impact all employees. By assembling the right team for your data classification program, you can ensure that the correct business units and individuals are involved in the classification process from the get-go and position your program for success. At the minimum, your team should include:
- CIO & CISO: The ultimate technical responsibility for data protection falls upon one, or both, of these roles. Where the CIO is running the IT operations, the CISO is securing the IT operations. For both to be effective they need to understand the company’s sensitive data landscape. Being involved in the classification process will benefit both positions as well. For CIOs, classification guides and simplifies IT infrastructure investment decisions by cataloging volume, location, and type of sensitive data. For CISOs, classification highlights where to allocate the security resources and can spot security gaps before they become breaches.
- Business Unit Leaders: The P&L leaders who watch the top (and bottom) line numbers of the business units. This role has a more immediate reason to support data classification – loss of data in their business unit could result in revenue impact, fines, or both. Classification drives visibility and protection of both customer data (PII) and the product development data (IP) that fuels growth.
- Data Creators: The feet on the street; the knowledge workers that are often writing the code, creating the CAD documents, or drafting the M&A proposals. They are closest to the data and are instrumental to any protection program, which must serve its protective purpose without impeding business. Including users in a classification program heightens awareness of the need to protect data and the negative repercussions if that data leaks.
- Legal/Compliance: Legal is there when things go wrong and data leaks. Often the backstop in a data protection program, legal needs to understand the scope of the sensitive data (exposure) and the protection in place (mitigating factors) to ensure the organization is properly managing risk. Risk is unavoidable in business, but determining which risks are acceptable needs to be a calculated and conscious decision.
For any member of the classification, remember to get them involved early. Any change that requires workflow modifications can be a source of friction. If your data classification project involves user-based classification (and not all do, some rely wholly on automated data classification techniques), getting the users on board ahead of the project means that when roll-out happens they are educated, enabled, and understand the needs, along with the benefits, in *their* terms.
Tip 2: Position Data Classification to Key Stakeholders
Gaining organization-wide support for a data classification program starts with getting support from key stakeholders that will be involved in the initiative. There are two primary stakeholder groups to target here: your “data champions” and your executives.
Data Champions
The data champions are those who have the most invested in the data. The goal here is to ensure they understand:
- What they are creating has value
- The value is worth protecting from both internal and external threats
- They are an important piece of the protection
Executives
To a data intensive organization (something that most are becoming whether they realize it or not) protecting their data is paramount to sustainable competitive advantage. Demonstrate how:
- Classification can drive revenue growth by enabling secure partnerships and growth initiatives
- Classification can reduce spend by limiting the scope of data needing protection and increasing the efficiency of existing investments
- Classification can reduce risk by highlighting where sensitive data is and where it is going
Tip 3: Prepare for Objections
As with any new business initiative, there is always the chance that you’ll face some pushback when trying to sell a data classification program across your company. You may hear “We’ve gotten along just fine without it.” This passive message is akin to saying “I’ve never needed insurance in the past,” and reflects a misunderstanding of the importance of classification or a misperception that it is only for more mature organizations. While organizations can protect their data without classification, it comes at the expense of efficiency. Here are two key talking points to help overcome potential objections:
- With classification, data protection solutions have the insight to understand the difference between regulated, internal only, and public data. This insight elevates data risks intelligently based on the impact of a breach.
- Without classification, data protection solutions, including data loss prevention and advanced threat protection, will be prone to higher false positives and false negatives, and alerts will be of lower fidelity.
Hopefully you find these tips useful when building the case for your own data protection program. Keep an eye out for the final installment of this series, and for more information about how data classification can improve your data security program read our Definitive Guide to Data Classification eBook here.
Read more in our Definitive Guide to Data Classification Series
- Getting Started with Data Classification
- Data Protection: Knowing is Half the Battle
- How Should You Classify Your Data? A Guide to Using Context-, Content-, and User-Based Data Classification Effectively
- Selling Data Classification to the Business: 3 Tips for Getting Organizational Buy-In
- Setting Yourself Up to Win: Guidance for Data Classification Success
