When you think about the total amount of data that goes across an organization on a daily basis protecting all of it becomes a daunting, if not impossible, task. It is hard to wrap one’s mind around how much a gigabyte of data is, let alone trying to conceptually understand what a terabyte of data is! It seems that current regulatory requirements and Information Security professionals are saying that all this data needs to be protected? Not true… that is a myth generated to scare the masses! For most business units and organizations the reality is that only 5-10% of the data that transverses their infrastructure or sits within electronic and physical filing cabinets is sensitive enough to need protection.
How do we differentiate between data that needs to be protected and data that does not need protected? One answer is for us to embrace an enterprise wide data classification scheme that allows the owner of the data to decide which of their data should be treated as:
- Highly Restricted
Once data owners classify their data they can then make smart choices about which data to protect very tightly and which data not to protect as well. This also allows the site data owners to save money by purchasing tools or establishing business processes that protect the 5-10% of data that requires extra protection vs. trying to protect 100% of the data flowing through their work areas.
By focusing on the small amount (5-10%) of data that truly needs to be protected we can lessen the complexity and obtrusiveness of data protection and regulatory compliance while reducing the cost of people, time and dollars. This reduced focus and scope is beneficial to the organization’s bottom line.
Yes, there is certain data that we are legally required to protect and secure and doing so can require small sacrifices and inconveniences on our part, similar to having to wear a seat belt when driving a car. However, if we focus our attention and tightened security on the small percentage of data that needs to be protected we might actually find out that there really is such a thing as a cost effective Information Security program.
© Kevin L. McLaughlin, probably cited re-use is acceptable