On the surface, protecting your organisational sensitive data seems simple enough. Deploy a data loss prevention tool and continue with your daily routine without a worry in the world.
Unfortunately, it’s not that simple.
Before you select a tool or implement any data protection controls, you need to step back and understand your data protection challenges. How do you define your data protection challenges? It’s about understanding people, the data they use, their processes, and the technologies they use to help them achieve their goals.
If you do not understand how the people in your organisation use and work with data, you’re going to have a tough time defining and implementing a solution that protects your organisations sensitive data without impeding their ability to collaborate and get work done. At worse, you’ll break collaboration and block people from getting work done.
Get the fundamentals right
I always stress that a good data protection strategy and implementation requires a solid foundation outlining the why, the how, and the impact. Data protection is a journey that whilst is different for each of our customers, still has many similarities when considering the steps you should take to meet your objectives.
Once you have that solid foundation, you will have the building blocks outlining what you need to do in a logical order to build, implement, and mature your data protection capability over time.
It’s a journey
Implementing a data protection solution is a journey that should seek to implement a core set of capabilities enabling you to have better visibility to understand the types of data in your environment. I consider the core set of capabilities to be data classification to assist with discovery, information protection to assist with labelling of sensitive data, and data loss prevention to control the use of sensitive data.
But before we get to these capabilities, let’s get the foundations right.
Discover and assess
If you don’t understand your organisation’s data, you’re not going to go very far. We all know there’s sensitive data lurking in our emails, documents, and file repositories, yet for many it’s difficult to define what is sensitive and requires additional protections.
IT departments may be responsible for the technologies that assist with data protection; however, the broader business must be responsible to define what data is sensitive and what the technology needs to do to protect said data.
Buy in from business stakeholders is critical to the success of a data protection strategy. Make sure you have the right people onboard who can provide input to understand the how and those who can drive the message for the why. This is a change with potential considerable impact, which can be positive when done right, and negative when not done well.
Firstly, you’ll need to gain an understanding of what types of data are important to the business, examples of this type of data, and how is this data used?
Why is this important?
Knowing what data is important will help you build capability to automate discovery of this data, and to then understand how people work with this data to determine risk such as the potential for data leakage, theft, and then you’ll understand their workflows which will be used later to implement protections that don’t affect productivity.
Secondly, what company policies and procedures are in place that state how sensitive data should be handled and managed? Are there legal, compliance, and regulatory obligations you must meet? How do you manage the data’s lifecycle, including retention, disposal, and quality? There’s a technology solution that can help for each of these questions.
Once armed with this information, these questions can all help define what controls you’ll want to put in place, and what relevant technologies needed to be implemented.
Now you can start planning
With the learnings from the discover and assess phase, the information required to build a roadmap and strategy are in place.
What technologies are implemented, and in what order. Which controls will be enabled and when, and what are the behaviours of these controls and their impact? Make sure you envision what’s coming and ensure that these changes will not interrupt productivity, if so, fine tune where needed. Workshop scenarios so you know that people’s workflows won’t be interrupted.
It’s a journey
Rome wasn’t built in a day, and neither was a data protection solution. Be prepared for the journey, build capability over time, and do not rush. Get this wrong and you may find you’ll need to tear everything down and the appetite to start again will be low.
Start with a small cohort, work with people who are onboard with wanting to protect their data. Get their input, listen to their feedback, and refine your solution. Then you can cast your net wide and start to include more people within the confidence you have the right people and process for a successful rollout.
Adoption and change management
This is most likely going to be impactful. Will people notice a change? Are you expecting a change in their behaviours? You bet!
There’s no point in making a change if no one adopts it, people are unsure of how to use it, and if they reject it.
Expect them to add a classification label to a sensitive document? Expect them to understand visual cues and feedback provided by the solution? Give them the right Information and you’ll succeed.
Remember the Prosci ADKAR model, ensure there is awareness of the change, have people participate and support the change, arm them with the knowledge and the ability they need to be successful, and keep reinforcing the change to make it sticky.
Take the first step forward
If you need assistance, Arinco can help. With our Security Done Right and Data Protection Accelerator offering, we work closely with your team to assess your environment and implement the right data protection capabilities to meet your objectives and goals.