Countless times during my career, I’ve been asked why data classification makes financial sense for an organization. This particular conversation typically arises in the context of a rebuttal to an unpopular project that has been proposed (i.e., one that doesn’t affect the bottom line — at least in a material and self-evident way).
Data classification can mean many things, of course, but from a data security perspective it typically involves the assignment of a sensitivity rating (or level) to various data used by an organization. The purpose of this assignment is, above all, to avoid “boiling the ocean,” as we consultants like to say.
Whether an organization is responding to a specific regulatory mandate, an active litigation, or merely taking a proactive stance toward its information management lifecycle, properly classifying the data is the first step. Such classifications (e.g., top secret, secret, confidential, restricted, and unclassified) allow organizations to identify what data an organization is handling on a regular basis, how well it is securing such data, and whether significant risks are being mitigated that relate to same.
While computer applications and appliances exist to help with data classification, ultimately this is a subjective exercise. Properly done, it includes all strata of the business, incorporates a risk-based approach, and contemplates business, technical, and other points of view. Only by identifying which data are important to the business, can an organization hope to quantify how expensive and inefficient its one-size-fits-all data management strategy truly is.
While data classification is most often cast in the light of risk-avoidance, there are significant benefits to classifying data that do, in fact, translate to the bottom line. Indeed, when an organization invests the time to classify its data, there are frequently entire populations of content that are being secured at great cost — though the actual content of these files merits no such security. These savings alone can pay for a data classification exercise.
Similarly, when organizations truly identify what data are important to their day-to-day operations, a great focus is brought to bear on how those data are created, managed, copied, distributed, and (ultimately) retired. This heightened awareness likewise has tremendous benefit for companies — whether in heavily regulated industries or not.
Forensic Update 