Boldon James. Bridging The Chasm Between Security And Data Management

The primary reason most organisations look at classifying the data they create and handle is to control access to sensitive information, driven by the need to manage security risk and comply with regulations, such as GDPR. However, this scope is too narrow. By focusing solely on these objectives, they’re missing an opportunity to embrace data categorisation and extract greater business value from all of their data assets.

There are two clear schools of thought around the use of data classification; security and data management:

  • Data security: Teams in the security domain consider classification as a means-to-an-end approach that involves security labelling of data according to its sensitivity, to help users and tools identify its value and protect it appropriately.
  • Data management: Data teams view classification as the categorising of information in order to improve its quality and utility. Business categorisation of data is based around establishing its context and the content, and then considering who has access to it, and how it is organised, stored, used and deleted across its lifecycle. This domain is primarily concerned with how data can be used to raise business performance and efficiency, streamline processes and improve data governance practices.

At Boldon James we see these two domains as inextricably linked – and for an organisation to get the full benefit from data classification they need to ensure both worlds are connected. To do this, you need to go back to the classification policy, and design an approach that goes beyond simple security labelling to one that harnesses data categorisation.

We’re seeing a growing trend for data classification customers to ask broader questions around their information. They’re taking a wider perspective of the problem, moving from ‘we have all this data – we need to protect it’, to ‘we have all this data – we want it to work harder for us’.

Organisations must shift to a business-centric approach to classification, tagging all information used within the business according to what it is, rather than simply according to the impact of its loss. This enables the data management and security tools that locate, organise, protect and remove data to make truly informed and coordinated decisions.

This more granular labelling can be driven by labelling the data according to its category. Categorising data is readily understood by end users as it deals in the information types they work with every day, and it’s easy for them to assign information to a category. Once you know the category, you can automatically assign all the other related tags that reflect the data management, compliance, retention and security needs of that category – as well as apply policy rules specific to those extra tags.

For example, a document might be categorised and labelled as Staff Travel Request. The data classification tool will then automatically add all the tags that relate to that category – for instance a data management tag of HR/Staff Management/Travel, a retention tag of One Year, a compliance tag of EU-GDPR and a security tag of Confidential/PII. This approach hides the additional granularity, and wraps all the required information up into one easily understood term.

To make the most of the business-enabling value of data, organisations must embrace a more holistic approach to classification that embraces data categorisation and goes beyond simple security labelling.

You can read the original article, here.