2022 journal article

A View from the CISO: Insights from the Data Classification Process

JOURNAL OF INFORMATION SYSTEMS, 36(1), 201–218.

co-author countries: United States of America πŸ‡ΊπŸ‡Έ
author keywords: data classification; data security; data governance; data loss prevention (DLP) technology
Source: Web Of Science
Added: July 5, 2022

ABSTRACT Data security is a critical concern for organizations. In a rush to protect data, some IT managers overlook the important first step of data classification and instead focus on implementing the strictest controls on all data to reduce risk. To investigate organizational processes surrounding data classification, we conduct interviews with 27 CISOs in 23 organizations. We develop a model that identifies the common themes of data classification and their interrelationships. The most common driver for data classification is compliance with data privacy regulations and security standards. Collaboration and employee education are essential to the process. Increases in employee awareness of data security risk and improvements in data hygiene are outcomes. Challenges to data classification include the increase in IT landscape complexity, maintenance of an accurate data inventory, immaturity of automated tools, limited resources, and user compliance. Our model provides insights for practitioners and identifies areas of interest for researchers.