A View from the CISO: Insights from the Data Classification Process

Data security is a critical concern for organizations. In a rush to protect data, some IT managers overlook the important first step of data classification and instead focus on implementing the strictest controls on all data to reduce risk. To investigate organizational processes surrounding data cl...

Full description

Saved in:
Bibliographic Details
Published in:The Journal of information systems 2022-03, Vol.36 (1), p.201-218
Main Authors: Bradford, Marianne, Taylor, Eileen Z., Seymore, Megan
Format: Article
Language:English
Subjects:
Classification
Compliance
Cybersecurity
Data integrity
Privacy
Risk factors
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Data security is a critical concern for organizations. In a rush to protect data, some IT managers overlook the important first step of data classification and instead focus on implementing the strictest controls on all data to reduce risk. To investigate organizational processes surrounding data classification, we conduct interviews with 27 CISOs in 23 organizations. We develop a model that identifies the common themes of data classification and their interrelationships. The most common driver for data classification is compliance with data privacy regulations and security standards. Collaboration and employee education are essential to the process. Increases in employee awareness of data security risk and improvements in data hygiene are outcomes. Challenges to data classification include the increase in IT landscape complexity, maintenance of an accurate data inventory, immaturity of automated tools, limited resources, and user compliance. Our model provides insights for practitioners and identifies areas of interest for researchers.
ISSN:0888-7985
1558-7959
DOI:10.2308/ISYS-2020-054