It is budget season and I have been wondering: how does a company prioritize their data security spend? Unlike building the business case for revenue generating activities, like a new sales plan or a new product, the business case for data security is difficult to quantify. Why? Because it is focused on limiting loss – but it is difficult to both, a) put a value to your data, and b) estimate the cost of a breach.
Legal obligations force a “value” on certain data, so it is fair to say that the cost and effort to protect this data is a good minimum budget. But is that enough to protect the rest? Much of the data that we are forced to protect may not be considered as valuable to your business as other data. Your intellectual property, for instance, has a great deal of value to you and therefore needs to be protected. I think we all realize that we can’t protect all data. So where do we draw the line?
Risk calculation requires knowing what you have, where it is and how it is being used. Discovery tools can provide a pretty good notion of what kind of data you have and where it is, but not necessarily the value since the value depends a great deal on the context. It cannot tell you, for instance, the degree of damage that would be done if the information was made public or got into the hands of a competitor. It cannot tell you that annual sales figures are no longer as valuable because they have now been made public.
It’s at this point that user driven data classification becomes very important.
When a user creates or accesses information, they are perfectly placed to assign business value to it. Users know the content and understand the context, allowing them to determine the degree of damage that the loss of the data would have on the organization. By classifying the data, the user assigns a value that other users and security systems recognize, informing them how the data should be handled. Clearly, documents marked as “SECRET” require more security than those marked as “PUBLIC.”
With a limited security budget, do you want to spend significant resources protecting “public” data? Of course not, but you will if you can’t distinguish public data from confidential data. With classification in place, security systems and policy will be set up to protect sensitive information, the data with labels like “secret” and “internal.” When affixed to the data as persistent metadata, classifications make it possible for the data users and your security ecosystem to recognize and protect the organization’s valuable information.
So what does this mean for your budget? First, once armed with identifiable data, it is much easier to assign data a value. Second, once the value is known, it is possible to create a more accurate risk assessment and, consequently, an appropriate focus and budget for data security. Finally, since classification enhances the effectiveness of other security tools, such as DLP systems, encryption, and archiving, using classification will enable a higher return on investment on these systems.
Perhaps it is time to include classification tools into your security budget?