Data classification has always been regarded as a foundational element of any viable data security strategy. After all, most organizations are creating, utilizing and storing more potentially sensitive data than ever before.
The emergence of compliance guidelines and data privacy mandates, such as General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), puts data classification front and center. The necessity of classifying data has grown as organizations must ensure their data is compliant and protected.
At the same time, data classification is proving to have equally valuable implications for corporate privacy initiatives. Because of this, some elements of data classification are moving beyond the realm of the Chief Information Security Officer (CISO) to involve the Chief Privacy Officer (CPO), who is beginning to shoulder more of this responsibility.
These security stakeholders come from different backgrounds and places on the organization chart, yet both bring important perspectives. Rather than engage in meaningless turf wars, savvy CPOs and CISOs increasingly are forming strategic partnerships to elevate data security throughout organizations. It may take time for elements of the new CISO-CPO paradigm to jell, but the common rallying point is a shared reason for being: Safeguarding the organization’s employees, brand and image.
Two steps to classification
While analysts say data classification has become mainstream as a best practice for any security foundation – the reality remains that the process can be complicated. For that reason, it’s advisable for CISOs and CPOs to navigate the journey together, starting with an examination of two foundational steps: Data identification and data categorization.
Properly protecting data begins with knowing what you have. This is what data identification is all about. It is important because what cannot be identified can hurt you. Unfortunately, many organizations lack a clear idea of how to identify and track data across multiple systems, which involves detecting sensitive data in motion and at rest.
Additionally, categorizing data based on type and content is an essential piece of the data protection puzzle. Machine learning and artificial intelligence are gaining ground in automating categorization by recognizing and flagging data that is private and/or sensitive. The ability to apply, detect and inject metadata into classification and compliance dramatically improves accuracy while streamlining integration with other parts of a company’s data security ecosystem. Next-gen firewalls, cloud access security brokers (CASBs), enterprise rights management (ERM) and data loss prevention (DLP) all benefit from a cohesive approach.
Dip your toe in a hybrid solution
Another opportunity for increased CISO-CPO collaboration is determining where data should reside. Talk of the cloud seems omnipresent in corporate conversations yet moving everything to the cloud has not reached an overwhelming consensus among data security stakeholders. In fact, most enterprises favor a dip-your-toe approach whereby some data moves to the cloud while other remains on-premises.
While this approach is perfectly suitable for today, especially for organizations in highly regulated fields that need to make sure data is supremely protected, it requires a solution that is equally suited for both arenas.
Goldilocks has the answer
Understanding the value of the elements of data classification is necessary for ensuring the proper visibility into the overall data journey. This cannot be accomplished without finding the proper platform, which can be a good news-bad news scenario. While there are many offerings available today, resist the easy temptation of a one-size-fits-all solution.
Instead, CISOs and CPOs would be best served taking timeless advice from Goldilocks: Seek the solution that is just right. Every organization has its own specific security concerns and requirements, and therefore should avoid being shoehorned into a generic solution. With that said, the process can be a daunting task. While the potential is great, the reality remains that data classification is hard.
For example, most all-in-one platforms are limited in how they label emails. Demand a solution with flexibility to change controls or attributes as internal and external data privacy policies alter and grow, as they undoubtedly will. Solutions limited to sensitivity and dissemination controls also lack adequate safeguards.
Proper data classification requires gaining context around the data, so people and systems understand how best to handle information. Additional capabilities – such as being able to classify whether data is personal, subject to regulations such as GDPR and CCPA or confidential – also are quickly becoming must-have features.
The most effective way to meet data security challenges is for CISOs and CPOs to maintain a united front. No soothsayer is required to know that regulations regarding data privacy and protection will grow in importance and change dramatically. At the same time, concerns about data breaches and misuse of personal information also will continue. For CISOs and CPOs, there is no better place to start joining forces than with data classification.