A common concern that raised by organisations who are considering the implementation of a data classification policy is how their users will react to it. To an IT team battle-scarred from implementing, say, a DLP system (and the resulting spike in helpdesk calls), the idea of putting another tool in front of users seems insane and the temptation to fully automate classification must be strong. The fact is some organisations still believe users should be kept away from decisions about data security for fear that they’ll do more harm than good.
However, feedback from organisations who’ve actually implemented data classification suggests that this is not the case. Regular readers will remember the surprisingly positive user response that the Allianz Ireland security team experienced during their implementation of Classifier – in the words of ISO Orla Barry “People really liked it and wanted to use it as they needed to implement Data Protection measures. During the testing, it was taken off people’s desktops occasionally and I actually got calls from people asking about when they would be getting it back!”
This was echoed in an interview I recently conducted with Alexey Lola, Chief Information Security Officer at DeltaCredit Bank about their implementation of a user-driven classification tool. Alex reported that one of the greatest concerns that the ISO team had was that the 700 DeltaCredit users wouldn’t like the classification tool and that its use would have to be mandated, but in fact users surprised the ISO team with how positively it was accepted. The ISO team say they knew the project had been successful when they could see that users were using the software and policy appropriately, and not simply using the default classification all the time, indicating that they had engaged fully with the concepts and process.
The team at DeltaCredit report a transformation of culture in relation to IT security, where classification is now automatic for the users and has become part of their normal daily routine. Alex said “Classifier is not just about protection of the information – it’s there to change the security culture in the organisation as it affects every employee.”
Whilst there are instances where classification can and should be automatically applied to data with either no human intervention or a brief validation of the chosen label, it’s clear that the visibility afforded by user-applied classification not only benefits the classification process, but also delivers a wider change to security culture and awareness.
You can read the full DeltaCredit case study here.