News Stay informed about the latest enterprise technology news and product updates.

RSA attendees see data classification, rights management projects stumble

SAN FRANCISCO -- Companies need to embark on data classification projects to gain more control over its movement and minimize data leakage, but it's difficult to find a company successfully carrying out a project. Rena Mears, Deloitte's global and U.S. privacy and data protection leader, believes more companies are beginning to see the value in understanding where the data resides and the significance of eliminating unneeded data. Companies will get on the right track when they begin to treat data as an important asset, Mears said. In this Q&A from the RSA Conference 2008, Mears shares some effective strategies to begin the discussion and talks about why many projects are ineffective.

Enterprises deal with data as if it were free and it is not.
Rena Mears,
 U.S. privacy and data protection leaderDeloitte
Have companies missed the boat so far in terms of data classification? Do most firms know where their data is?
We did a survey and one of the things we found was that almost every company said they did data classification. When we actually talked to companies we found out that what that almost always means is there is a nice data classification document somewhere with some nice classes defined; somewhere between two and four. And pretty much what happens is the document is sitting on the shelf often with other policies sitting on the shelf. It's not clear who has read it. It's not clear if it's well implemented and more importantly it's fairly clear that the technologies that have been implemented are not well equipped to deal effectively with the data classification.

We see data classification coming more with things like segmenting networks. It's usually done at what I would call the gross level rather than the data level, architecturally segmented in the network. Access, firewall protection or greater perimeter protection around that segment of the network then is effectively meant to handle the fact that that data requires more protection. The question you then have to ask yourself is how really truly segmented and protected that particular part of the network is and often you find that there are holes or ways around and into that segment.

The Payment Card Industry Data Security Standards (PCI DSS) is one area where segmentation comes into play. How is data classification affected in that case?
PCI and the whole PCI requirements have driven more spend in this space than we've seen in a long time. Companies are taking it seriously. There are a lot of areas in PCI that require strategic decisions on the part of the company … They are developing that segmentation. What I think is still a challenge often is for companies who are trying to meet the framework of PCI really being able to have the time to step back and say, now that network segmentation—is it really complete? Is it really effective at all layers? I do think PCI has been a positive influence on getting data classification operationalized in some aspect, but we're not there yet.
Ongoing RSA '08 coverage: and Information Security magazine editors are in San Francisco to bring you the most detailed coverage of RSA Conference 2008. Check back often for the latest news stories, interviews, podcasts, videos and blog tidbits from one of information security's biggest annual events.
>>>Visit RSA Conference 2008
Let's talk about rights management and some of the challenges there. It seems to be a people challenge rather than a technology challenge or is it a mixture of both?
It's all the above. In our enterprise risk survey we did, what we found out of all the technologies implemented the one that had been least implemented so far was digital rights management. There's a love hate relationship with digital rights management in the technology world. Now there's this conversation about whether it should be there at all for certain kinds of products and services or should it be complete and I think there is a lot of challenges. One challenge is people. Walk into the enterprise and everybody has an opinion of what should be done with data, but no one wants to stick up their hand and say I own the data, because when you tell them that is equal to accountability for what happens to the data hands quickly drop. The concept of data stewardship and accountability creates issues. What are your thoughts about the state of the economy and how it could possibly affect IT budgets moving forward?
For IT spending in particular I think we've got opposing economic forces going on. Clearly there is a downturn and any time you have a drop in margin the first strategy that comes to mind is cut costs. But I also think there is some opposing drivers out there that actually work in favor of technology solutions and security and privacy issues. We're increasingly global and we're increasingly digital, so I think that what we're seeing is a recognition that IT, security, privacy and all the technologies that enable commercial activity are really essential for continuing growth.
Data classification:
How to conduct a data classification assessment: Before businesses safeguard mission-critical data, they must know how to conduct data classification processes.
In tough economic times it will become even more critical to show the value of a data project. Is it particularly difficult to show ROI with a data classification or a rights management project?
Only if you don't connect the dots to the fact that data is an asset and most of us don't at this point. Enterprises deal with data as if it were free and it is not. When we talk about data classification, data protection and data management, if I look at data as a true asset then I can say I have a rate of return that I expect an ROI off the investment of that asset. If that asset is returning nothing or it's negative, it represents merely litigation risk, breach risk or regulatory risk, but it's not giving me revenue or not supporting my employees as an indirect revenue driver, then why do I have it? So one of the ways to get return on investment and show return on investment is in a data project is to be able to show that you have effectively concentrated your efforts in the most bang for the buck place on your assets and the first recommendation is often get rid of a lot of things your holding because there is no return. Who is going to be making the pitch to get a data classification project approved? Is it really IT driven?
The answer right now is nobody is making the pitch or at least hardly anybody. Nobody has gotten together to make a good pitch, if you will, or to explain what the risks are. We've seen a little bit of upward movement through Sarbanes-Oxley, because suddenly the security guy got to talk to the board of directors. In the finance industry chief risk officers are the people who would bring this message up. Outside the finance industry we're starting to see other industries starting to pick up that concept that aggregating various risks and bring all of that enterprise risk to the table at the c-level. All of this stuff requires strategy. The people who are hired to do strategy are at the c-suite and it needs to be a comprehensive message.

Dig Deeper on Data security strategies and governance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.