Select Page
Data Classification: A Framework for Building, and Pitching, a Rock Solid Program

Data Classification: Building, and Pitching, a Rock Solid Program

Darrell Jones

In our final installment, we are going to discuss how you roll all the concepts previously covered into a plan of action. The difference between the success and failure of a data classification program is a lack of action. I have reviewed over 10 programs in my professional career and lack of action is the key failure in all. Ideas are easy to understand and easy to communicate, but hard to execute. Therefore, you need a plan. The purpose of this blog post is to provide you with enough background and understanding, based on experience, to develop a plan. Let me be clear: this is not a plan. This is instead a framework, something to develop into a plan and intelligently pitch to senior management. The following will give you the tools to persuade the required business leaders to implement a successful Data Classification program.

Corporate Obstructions

First, we must address the elephant in the room. Data Classification, at best, highlights the omissions in most corporate data management strategies. Data handling, or data governance, is a 21st century concept. Previously, the strategy was to either keep everything, or delete everything. 99% of companies kept everything forever. The question of why corporations keep so much data came to a head in the 2014 Sony Pictures breach. The amount of data and different types of data (movies, emails, financial records) exposed was staggering. The breach made every corporate board pause for a moment and reflect on their own data exposure.  
Data Classification, at best, highlights the omissions in most corporate data management strategies.
The interlude didn’t last long. Organizations wanted to address this issue in a holistic manner, but they didn’t. The reason is simple. It is INSANELY expensive to address this problem if an organization isn’t designed that that way from the beginning. When the realization occurs that they cannot fix this problem completely, the teams move to a selective, ad hoc process that focuses on the corporation’s most sensitive data. 

Are There Data Types or Groups You Should Skip?

The short answer is yes. Corporate legal departments usually have some sort of a document management system (e.g. eDOCS, NetDocs, Documentum) that is used to organize and manage their documents. These legal teams must follow data retention and classification standards and requirements set by judiciaries. Another group that is historically excluded from data classification activities are compliance teams. Again, they are following requirements set by the regulatory body that governs the organization. 

Four Levels of Data

The below table is a very typical example of a data classification schedule.  The Four Levels of Data You will notice most of the data used and produced by the organization is classified as “Confidential.” This is normal. 

Expected Outcomes

Every organization is going to be different, but the general rules remain the same: Data Outcomes The ratio of “Highly Confidential” data, however, is the most important take away. Once you sit down with business leadership, you must identify the most sensitive data in your organization. This should be easy.  If the Highly Confidential data total begins to move past 3%, however, you should have another set of conversations as the scope of Highly Confidential data probably needs to be updated or revamped. An example from IT/Cyber illustrates this point. There is usually only one file that is considered Highly Confidential in IT/Cyber: the Risk Register. Everything else is classified as Confidential.

What Tools Do I Need to Buy?

So far, everything we’ve discussed about data classification has focused on people and process. That is because the tooling for Data Classification isn’t just one tool; it’s a capability that requires many different tools. This is no different than other capabilities. Your email DLP platform for example will differ from your CASB or web content firewall. Several vendors have come and gone in this space over the years. The big player I have used and continue to hear good things about is Spirion (formerly IdentityFinder). As far as I know, only a few vendors do data labeling. Oracle would be an example. Data classification vendors tend to be either DLP vendors or file activity monitoring vendors like Varonis or STEALTHbits.
A successful program must also focus on business processes rather than technology.
The best vendor is the one that meets your requirements and use case. The very cheapest will probably be your best option because there is almost no return on investment for doing data classification or labeling in a product. You need to customize the environment around personally identifiable information (PII), protected health information (PHI), Payment Card Industry (PCI), etc., so what does a vendor get you? (I’ve exaggerated a little for effect, but you get my point).

In Conclusion

A CISO can’t build a Data Classification capability in isolation. Successful programs will include Risk Management, Legal, and Compliance. A successful program must also focus on business processes rather than technology. The global migration to Data Warehouse solutions reinforces this need. Data warehouses are designed to provide unlimited data integration and accessibility. They empower the business to uncover new opportunities that drive sales, marketing, and operational efficiencies. This is accomplished by removing the historic data siloing found in application specific databases, and pooling all the data and augmenting it with other data sources. From a classification point of view, the historic cybersecurity controls are completely stripped in these systems in lieu of accessibility. Successful Data Classification programs get ahead of these challenges by being a part of the design process from the beginning.  The final element of a successful program is the understanding that you cannot boil the ocean; focus on what data is important. This is only accomplished by working with the business teams to build their Highly Confidential data list. Again, focus on the business unit’s most important data. If the Highly Confidential data total exceeds 3% of the entire department’s data pool, reevaluate the data types. Otherwise, the controls surrounding Highly Confidential data handling will severely impact the business, which will be the death knell of your Data Classification program.  

RELATED POSTS

Stagehand: S1 Episode 8

Stagehand: S1 Episode 8

Carl Timmons was given 24 hours to decide what he wanted to do. This was a tactic. Twenty four hours to sit alone and think about all the money he could want and the price he’d pay for it. And 24 hours to also contemplate what Andre Savin might do to him before...

Stagehand: S1 Episode 7

Stagehand: S1 Episode 7

Andre Savin and Lincoln Palmer had met on several occasions and had the type of relationship you’d expect between two men of their standings on the billionaire scale. Contemptuous but also understanding. They were both driven by the same desire—access to...

Stagehand: S1 Episode 6

Stagehand: S1 Episode 6

Belfast, New York - 1889 They called him The Boston Strong Boy—arguably the first real boxing star and one of the highest paid athletes of his time.  He’d always been good at school. He attended Boston College where his parents thought he might pursue...

What Is Zero Trust Anyway?

What Is Zero Trust Anyway?

About three minutes into planning this post, I had one of those “god, I am old” moments. Here is why I had the moment. I have worked in cybersecurity since 1994. My first job was at a big 3 working for the U.S. government through one of the world’s...

Stagehand: S1 Episode 5

Stagehand: S1 Episode 5

Kuwait, 1990 I’m launched out of a submarine a few miles off the coast of Kuwait City. When I swim to shore, I quickly change into my dry land clothes—a full burka. I was a six-foot-one Marine posing as a good Muslim woman. The catch, beneath the modest...

Ransomware: When Policy Matters Most

Ransomware: When Policy Matters Most

Most CISOs divide their approach to cyber defense into three pillars: people, technology, and processes. These pillars define a cybersecurity program’s defensive architecture and arsenal, available assets, and policies and procedures that together inform...

Selling to a CISO? Practice Empathy, Not Salesmanship

Selling to a CISO? Practice Empathy, Not Salesmanship

The cyber security marketplace is hot. Ask any candidate for a cybersecurity role. Better yet, ask any supplier to CISOs. The supplier audience is especially vast, and it’s continuing to grow. Just three years ago, there were estimated to be less than 2,000...

The Risk of Measuring Risk

The Risk of Measuring Risk

Automated measuring of control effectiveness is a very good idea conceptually. When you can combine control gaps with relevant threat information, you get a very good picture about the actual technical cyber risks your business faces. If done correctly, it provides...

Stagehand: S1 Episode 4

Stagehand: S1 Episode 4

Keith and I left the scene like we found it: the two kidnappers dead on the floor, their shotgun up against the wall, and the rope used to tie up Carl Timmons sprawled out on the floor. We tipped off local law enforcement and were gone before they arrived, leaving no...

SecOps Needs More Democratization, Not Less SOC

SecOps Needs More Democratization, Not Less SOC

An increasing complexity of technologies, as well as an increasing number of failures and attacks followed by an increasing dependency on business goals is changing the way we run Security Operations Centers. I previously discussed the concept of a Fusion Center as an...

Measuring a Cyber Awareness Culture

Measuring a Cyber Awareness Culture

Until recently, cyber awareness metrics have been treated by many as a tick-box exercise driven by regulations. The regulator requires x number of hours of cyber awareness training per employee per year, and once that is done, the organisation ticks a box and waits...

Good Enough Isn’t Good Enough Anymore

Good Enough Isn’t Good Enough Anymore

The cyber risks we face today are more than we faced previously but also fundamentally different in several respects. Our adversaries are more adept and their tools and tactics more protean in capability.  In light of these increasing challenges, our cyber defenses...

Stagehand: S1 Episode 3

Stagehand: S1 Episode 3

Cyprus ~ 2006 Ali Hassan was a low-level operative in Hezbollah, but we had it on solid authority that he knew where three high-level leaders of the terrorist organization were hiding. Keith arrived fifty-seven hours into Hassan’s interrogation and by the looks of it,...

Mitre Disrupting Advanced Persistent Threats
Share This