Mission impossible: Data identification and prioritization

Protecting your organization's most precious data is the goal, but not all data needs the same degree of care. Thinking strategically about what is most valuable can help you focus attention and funds where it's most needed.

Today humans create more information in two days than was created from the dawn of man to 2003 (if only cavemen had Twitter: Spent day looking for food #grunt #woollymammoth). The speed of growth and velocity of data creation is mind-boggling (90% of all data was created in the last two years). Businesses are becoming overwhelmed with data (including structured as well as semi/non structured). From a security practitioner's perspective, securing this data seems like mission impossible. The immediate thought would be to classify the data. Data classification has long been touted as a necessity for addressing data security issues. However, it is an expensive and cumbersome process that is overtly excessive for most companies (unless you're the CIA). The more effective approach would be to identify your mission critical data and its location.

The premise of data identification (and prioritization) is based on the assumption that not all data is created equally. Some data is more valuable than other data. From an economic perspective, it does not make sense to protect all data equally. Does it make sense to have sensitive corporate merger documents under the same level of protection as the Miley Cyrus MP3s on the marketing intern's laptop? Think about where you store your personal valuables: safety deposit box, combination safe, or liquor cabinet (this tends to house the prized possessions of the overworked IT pro). The point is that you wouldn't store your gym socks or your "Reagan trounces Mondale" newspaper in these secured areas (nor would you store your most valuable items out in the open). Logic would dictate that the most critical data should be under stronger control (plus it's more cost effective!).

Most IT security professionals find themselves in the unenviable position where they are expected to do more with fewer resources. What would be more cost effective than focusing on protecting the higher risk data assets? Take that first step and identify the certain types of valuable data and prioritize accordingly. Whether it be member/customer data, personal data, or commercially valuable data. Ask yourself, what data/information, if it left the organization, would cause all hell to break out? Make no mistake - this is not simply an IT endeavour. The identification and prioritization of critical information is an enterprise-wide initiative. Engaging the entire business allows for critical data to be prioritized in the greater context of strategic business objectives.

It is simply not efficient nor sustainable to apply the same blanket level of protection, storage and management requirements to all information. Once you know what data needs the most protection, you can properly allocate the funds and resources to best defend those assets and shift to an information-centric security paradigm.