These days we strive for simplicity, we look for the easiest, simplest, and at first glance, cheapest, tools to make our organisations run better with less risk.
Let’s take data classification as an example. A 1,000ft view and it looks simple right? Data that we create is either confidential or not. Nothing complex about that.
This all looks great, until we start getting closer to the problem. The main (but not the only) reason that organisations look at classifying the data they create and handle is to ensure that sensitive information can be controlled. A big part of designing a classification policy is understanding what data is sensitive, and what is not. Who should have access to this information, and whether you should even be holding that information.
As soon as we start asking these questions, the challenge looks increasingly less simple.
We soon realise that we need both internal and external classification schemes. We find that the classification scheme that we use in HR looks quite different to the one we need in sales. We see that the classification policy we use in marketing does not fit the product development team’s needs.
Organisations are not islands. We have myriads of relationships with external suppliers, partners and vendors. When we design a classification policy we also need to take into account the way we communicate with organisations outside of our own. Just as organisations thrive from inter-dependent relationships, so should our data security tools. Classification has the ability to make so many other tools much more effective, whether that is DLP, Discovery, IRM and many other applications that we consider important in the fight to keep data secure. Just as there is no one size fits all, there is also no one-stop-shop, no single solution or magic bullet. Instead, what is important is how the best-of-breed tools can work together to create a seamless and highly effective solution.
Finally – we also need to work around a framework of legislation that is getting increasingly more complex, and the failure to adhere to this legislation is becoming more costly.
So, there is the challenge. To successfully negotiate that complexity with a classification policy that works for all, means that the tools we choose to use need to be incredibly flexible and configurable. But they still need to be easy to use. A good classification tool should not be complex to work with, it should in fact, hide the complexity. It should fit seamlessly into how end users work on a day-to-day basis.
The bottom line is that the complexity will not go away, and if you have to design your classification policy around the limitations of the classification tool, then frankly, you are using the wrong application.
You might just about get away with one size fits all when you buy a t-shirt, but a classification tool? Forget it!