It was around 2013 when we began to realize that while data classification is a technology solution, many organizations wanted to know “how” they could accomplish a successful data classification rollout.
To facilitate this discussion, we built a deployment methodology to help guide our customers on the journey toward a data classification strategy without disrupting business workflows.
This methodology suggested that your deployment should be broken into three phases: Crawl, Walk, and Run.
As time progressed, not only did Titus talk about the idea of Crawl, Walk, and Run, but our competitors did as well, which was quite flattering.
Nonetheless, looking back seven years later, it’s fair to say we made a mistake.
Suggesting that organizations have to start by crawling implies that the value they receive upon their initial deployment is limited.
The reality is that the impact their first data classification/protection deployment can have on their organization can be significantly valuable.
In fact, it can do everything from creating organization-wide security awareness and taking foundational steps to address regulatory compliance to greatly reducing data loss.
Hindsight is always 20/20, but after some reflection, we are now talking to organizations about breaking their data classification and protection program into three different phases: Educate, Empower, and Enforce.
What each phase means to organizations will vary depending on their level of maturity, but every organization will realize value on Day 1.
Here is a breakdown of what each phase could mean:
Often organizations struggle to get alignment among stakeholders on what data protection means to them as a business.
The Educate phase can be as simple as deploying data classification labels and metadata with the option of classifying while also applying light policies (such as prevent internal-only information from leaving the organization).
This phase could also force the classification of data if users are ready.
Educate may also include an inventory of data sitting at rest within the organization to educate stakeholders on the kind of redundant, outdated and trivial (ROT) data you have stored on your networks and servers — all of which can increase the potential for risk.
The goal of the Empower phase is to start bringing more policy into the mix to take your level of data control up a notch from the Educate phase.
More policies might be implemented at this point to ensure that users make the right decisions while handling and sharing information.
Adding metadata to data at rest during this phase will ensure that the right sharing controls are applied in the event the data moves around the organization again.
At this stage, you start to apply even richer policies to prevent the sharing of data.
Enabling your other security technologies, such as encryption or rights management solutions, to access the rich metadata applied to your data in the previous two phases adds another layer of precision and protection to your strategy.
Some organizations may tie more policies to their data loss prevention (DLP) or cloud security solution to prevent data from going to certain individuals, cloud servers or file shares.
Every organization will have a different definition of value for each phase of deployment based on their readiness and overall data protection culture.
Deploying data protection solutions in your organization is as much of a strategy conversation as it is a technology discussion to ensure you achieve the business outcomes that are critical to your organization.
If you would like to learn more about the Titus deployment methodology, we would be happy to review it with you in a one-on-one meeting.