One of the more difficult and time-consuming projects in info-sec is data classification. It’s especially difficult if you’re on a budget - which every company is. When an organization is fairly new to the security and risk driven mindset and must prioritize their efforts to achieve the most bang for their buck; Data Classification is often near the bottom of the list.
Before a company starts down the path of information security, there’s often a looming feeling that something isn’t right and that the steps to fix it will take effort. I liken it to a messy room that they’ve simply closed the door on, so they can try to forget there is a mess to clean up. Every time they walk by the room, they feel a twinge of embarrassment or a spark of motivation to tackle the problem; however, that emotion lessons every time they walk by until the feeling evaporates. Now the messy room has been “normalized.”
If you’re in the Department of Defense supply chain, you’ve become familiar with DFARS and the corresponding NIST SP 800-171 r1 over the last few years. It is a list of 110 controls that you need to be compliant with in order to continue supplying certain contracts.
Cybersecurity breaches are becoming more and more prevalent. In fact, it’s been estimated that there were almost 5 billion records breached in 2018. Many organizations spend thousands of dollars on security breach prevention tools, but won’t take the time to create a formal process of identifying, responding to, and communicating an incident.
The reason we wear our seat belts is not to avoid getting a ticket from the police, but rather to avoid a potential injury in a car accident. This analogy is an easy way to describe the difference between box-checking security and real security, and it's instantly understood regardless of technical knowledge. This message resonates with executives, because they typically prefer to “get to the point” and correctly protecting their data is “the point” of cybersecurity.