Data Classification: A Framework for Building, and Pitching, a Rock Solid Program

Data Classification: Building, and Pitching, a Rock Solid Program

Darrell Jones

In our final installment, we are going to discuss how you roll all the concepts previously covered into a plan of action. The difference between the success and failure of a data classification program is a lack of action. I have reviewed over 10 programs in my professional career and lack of action is the key failure in all. Ideas are easy to understand and easy to communicate, but hard to execute. Therefore, you need a plan. The purpose of this blog post is to provide you with enough background and understanding, based on experience, to develop a plan. Let me be clear: this is not a plan. This is instead a framework, something to develop into a plan and intelligently pitch to senior management. The following will give you the tools to persuade the required business leaders to implement a successful Data Classification program.

Corporate Obstructions

First, we must address the elephant in the room. Data Classification, at best, highlights the omissions in most corporate data management strategies. Data handling, or data governance, is a 21st century concept. Previously, the strategy was to either keep everything, or delete everything. 99% of companies kept everything forever. The question of why corporations keep so much data came to a head in the 2014 Sony Pictures breach. The amount of data and different types of data (movies, emails, financial records) exposed was staggering. The breach made every corporate board pause for a moment and reflect on their own data exposure.  
Data Classification, at best, highlights the omissions in most corporate data management strategies.
The interlude didn’t last long. Organizations wanted to address this issue in a holistic manner, but they didn’t. The reason is simple. It is INSANELY expensive to address this problem if an organization isn’t designed that that way from the beginning. When the realization occurs that they cannot fix this problem completely, the teams move to a selective, ad hoc process that focuses on the corporation’s most sensitive data. 

Are There Data Types or Groups You Should Skip?

The short answer is yes. Corporate legal departments usually have some sort of a document management system (e.g. eDOCS, NetDocs, Documentum) that is used to organize and manage their documents. These legal teams must follow data retention and classification standards and requirements set by judiciaries. Another group that is historically excluded from data classification activities are compliance teams. Again, they are following requirements set by the regulatory body that governs the organization. 

Four Levels of Data

The below table is a very typical example of a data classification schedule.  The Four Levels of Data You will notice most of the data used and produced by the organization is classified as “Confidential.” This is normal. 

Expected Outcomes

Every organization is going to be different, but the general rules remain the same: Data Outcomes The ratio of “Highly Confidential” data, however, is the most important take away. Once you sit down with business leadership, you must identify the most sensitive data in your organization. This should be easy.  If the Highly Confidential data total begins to move past 3%, however, you should have another set of conversations as the scope of Highly Confidential data probably needs to be updated or revamped. An example from IT/Cyber illustrates this point. There is usually only one file that is considered Highly Confidential in IT/Cyber: the Risk Register. Everything else is classified as Confidential.

What Tools Do I Need to Buy?

So far, everything we’ve discussed about data classification has focused on people and process. That is because the tooling for Data Classification isn’t just one tool; it’s a capability that requires many different tools. This is no different than other capabilities. Your email DLP platform for example will differ from your CASB or web content firewall. Several vendors have come and gone in this space over the years. The big player I have used and continue to hear good things about is Spirion (formerly IdentityFinder). As far as I know, only a few vendors do data labeling. Oracle would be an example. Data classification vendors tend to be either DLP vendors or file activity monitoring vendors like Varonis or STEALTHbits.
A successful program must also focus on business processes rather than technology.
The best vendor is the one that meets your requirements and use case. The very cheapest will probably be your best option because there is almost no return on investment for doing data classification or labeling in a product. You need to customize the environment around personally identifiable information (PII), protected health information (PHI), Payment Card Industry (PCI), etc., so what does a vendor get you? (I’ve exaggerated a little for effect, but you get my point).

In Conclusion

A CISO can’t build a Data Classification capability in isolation. Successful programs will include Risk Management, Legal, and Compliance. A successful program must also focus on business processes rather than technology. The global migration to Data Warehouse solutions reinforces this need. Data warehouses are designed to provide unlimited data integration and accessibility. They empower the business to uncover new opportunities that drive sales, marketing, and operational efficiencies. This is accomplished by removing the historic data siloing found in application specific databases, and pooling all the data and augmenting it with other data sources. From a classification point of view, the historic cybersecurity controls are completely stripped in these systems in lieu of accessibility. Successful Data Classification programs get ahead of these challenges by being a part of the design process from the beginning.  The final element of a successful program is the understanding that you cannot boil the ocean; focus on what data is important. This is only accomplished by working with the business teams to build their Highly Confidential data list. Again, focus on the business unit’s most important data. If the Highly Confidential data total exceeds 3% of the entire department’s data pool, reevaluate the data types. Otherwise, the controls surrounding Highly Confidential data handling will severely impact the business, which will be the death knell of your Data Classification program.  

RELATED POSTS

Stagehand: Episode 4

Stagehand: Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

Relationships in the Cyber Era

Relationships in the Cyber Era

The APT era is here. Attacks are becoming more common and the level of damage increasing in severity. As CISOs, we must prepare for the APT era. We must commit to changing our attitude and not adopting only advanced technological tools. The current awareness is not...

The Importance of Vendor Risk Management for CISOs

The Importance of Vendor Risk Management for CISOs

If a company deals with even one third-party vendor, then vendor risk management should be at the forefront of the CISO's mind. What is vendor risk management? Vendor risk management (VRM) is the process a company takes to verify that their suppliers and providers...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: Episode 3

Stagehand: Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Five Best Practices to do Supply Chain Security Right

Five Best Practices to do Supply Chain Security Right

Supply chain attacks aren’t new. In fact, The National Institute of Standards and Technology (NIST) published their initial report on supply chain risk back in 2015. One of the most well-known supply chain attacks happened shortly after in 2017. NotPetya corrupted...

Stagehand: Episode 2

Stagehand: Episode 2

Carl Timmons: CISO of Illuminating Solutions, a data analytics firm, forty-seven years old, never been married. Last Thursday, Carl arrived in San Jose on business. He was picked up by a company car and driven to The Manifeld Hotel. He was last seen leaving the hotel...

The Dark at the Top of the Stairs

The Dark at the Top of the Stairs

Let’s say you need to apply a critical patch across the organization, and the patch requires a reboot. While forcing a reboot to apply a critical patch is important, it creates business disruption that ripples out to your customers. Sooner or later, someone in the...

The Risk of Banking

The Risk of Banking

I just came off a big Zoom call with traditional bankers where they discussed changes in client behaviors, and the impact which new technologies bring, that fundamentally challenge today’s traditional European banking models. At the end of 2019, Boston...

Effective Board Communication for CISOs

Effective Board Communication for CISOs

Know Your Board If you’re a CISO, your Board generally knows who you are and what you do. But do you know who they are? No Board is monolithic. Each Board member brings unique value to the Board. Each is selected for what they add to the Board’s perspective, vision,...

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Cyber Ops Must Evolve Towards Fusion Centres. Here is Why.

Since the advent of space exploration in the 1960s, every child understands that the success of the space mission is dependent not only on the astronauts, but also on the engineers in the mission operation center. All complex missions or operations are high risk and...

Mitre Disrupting Advanced Persistent Threats
Share This