In part four of their series on The Definitive Guide to Data Classification, Digital Guardian offer tips for getting organisational support for your data classification programme.
Tip 1: Create Your Data Classification Team
Data classification decisions can impact all employees. By assembling the right team for your data classification program, you can ensure that the correct business units, and individuals, are involved in the classification process from the get-go and position your program for success. At the minimum, your team should include:
- CIO & CISO: The ultimate technical responsibility for data protection falls upon one, or both, of these roles. Where the CIO is running the IT operations, the CISO is securing the IT operations. For both to be effective they need to understand the company’s sensitive data landscape. Being involved in the classification process will benefit both positions as well.
- Business Unit Leaders: The P&L leaders who watch the top (and bottom) line numbers of the business units. This role has a more immediate reason to support data classification – loss of data in their business unit could result in revenue impact, fines, or both. Classification drives visibility and protection of both customer data (PII) and the product development data (IP) that fuels growth.
- Data Creators: The feet on the street; the knowledge workers that are often writing the code, creating the CAD documents, or drafting the M&A proposals. They are closest to the data and are instrumental to any protection program, which must serve its protective purpose without impeding business. Including users in a classification program heightens awareness of the need to protect data and the negative repercussions if that data leaks.
- Legal/Compliance: Legal is there when things go wrong and data leaks. Often the backstop in a data protection program, legal needs to understand the scope of the sensitive data (exposure) and the protection in place (mitigating factors) to ensure the organization is properly managing risk. Risk is unavoidable in business, but determining which risks are acceptable needs to be a calculated and conscious decision.
For any member involved in classification, remember to get them involved early. Any change that requires workflow modifications can be a source of friction. If your data classification project involves user-based classification (and not all do, some rely wholly on automated data classification techniques), getting the users on board ahead of the project means that when roll-out happens they are educated, enabled, and understand the needs, along with the benefits, in *their* terms.
Tip 2: Position Data Classification to Key Stakeholders
Gaining organization-wide support for a data classification program starts with getting support from key stakeholders that will be involved in the initiative. There are two primary stakeholder groups to target here: your “data champions” and your executives.
The data champions are those who have the most invested in the data. The goal here is to ensure they understand:
- What they are creating has value
- The value is worth protecting from both internal and external threats
- They are an important piece of the protection
To a data intensive organization (something that most are becoming whether they realize it or not) protecting their data is paramount to sustainable competitive advantage. Demonstrate how:
- Classification can drive revenue growth by enabling secure partnerships and growth initiatives
- Classification can reduce spend by limiting the scope of data needing protection and increasing the efficiency of existing investments
- Classification can reduce risk by highlighting where sensitive data is and where it is going
Tip 3: Prepare for Objections
As with any new business initiative, there is always the chance that you’ll face some push-back when trying to sell a data classification program across your company. You may hear “We’ve gotten along just fine without it.” This passive message is akin to saying “I’ve never needed insurance in the past,” and reflects a misunderstanding of the importance of classification or a misconception that it is only for more mature organizations. While organizations can protect their data without classification, it comes at the expense of efficiency. Here are two key talking points to help overcome potential objections:
- With classification, data protection solutions have the insight to understand the difference between regulated, internal only, and public data. This insight elevates data risks intelligently based on the impact of a breach.
- Without classification, data protection solutions, including data loss prevention and advanced threat protection, will be prone to higher false positives and false negatives, and alerts will be of lower fidelity.
The full original article can be found on the Digital Guardian blog here. For more help and tips on getting organisational buy in for data classification, contact us now, and we can can discuss all the options available to you.