GRC Viewpoint

Mapping the Terrain: The Staged Odyssey of Data Protection

When it comes to data protection, many companies don’t realize that it’s a journey and not a walk-in-the-park approach. Companies must first understand what they have for data and where it’s located before they can protect it. It’s expected that many organizations have hundreds of different data repositories but lack sufficient knowledge regarding the types of information stored within them; is the data sensitive, public, or partner-related? Who should have access to what? 

Unfortunately, no magic tool can scan and find all these repositories to bring back data classifications. However, there is a manual exercise to map data identity, where the critical areas are, and what sensitive information resides within. It may sound old school, but creating a paperwork map that plots out data discovery is the best method—there is no quick discovery process.


Securing Data Begins With A Crawl

The data discovery journey draws a parallel to the familiar adage of learning to “crawl” before “walking” and finally “running.” The information discovery and classification progress follows similar phases.

At the onset of the paper mapping project is understanding an organization’s present state regarding information, security, and compliance, a.k.a. the “Crawl Phase.” The Crawl Phase requires a deep dive into the intricacies of business processes, stakeholders, and partner relations. Void of all automation, labels are applied to content by hand, and strategies are crafted based on the unique requirements for the role of each document’s owner—with a significant emphasis on change adoption. Often, these changes are conducted behind the scenes, so it’s imperative that members of the organization are aware of them and understand these new labels and evolving policy alterations. Above all, organizations must follow the rule of thumb: have at most five classification labels to make things easy for the users.

Walking Through Data Protection

When transitioning from the Crawl Phase to the Walk Phase for data protection, the emphasis is shifted to planning and implementation specifics. Best of all—automation can start. Conducting the Walk Phase involves running a pilot program for a Proof-of-Concept (POC) with a chosen user group to validate and refine newly established strategies. Users are introduced to the various methods of classifying content and asked for their feedback to refine and enhance these classifications. User group input is vital as it gathers opinions on differing classifications needed across various departments. 

Understanding and adopting are foundations of the Walk Phase. Continuous training sessions ensure that every user understands each classification’s meaning and its implications. 

Running With Automation

The Run Phase marks the culmination of the mapping journey and is dominated by automation and strict policy enforcement. Encryption and preventive controls such as content blocking and advanced information rights management techniques take precedence in this phase. In addition, sophisticated protection tools such as Translation Lookaside Buffer (a memory cache that stores the recent translations of virtual memory to physical memory) offer an unparalleled level of content safeguarding.

However, it is essential to note that encryption steps must be taken judiciously, considering all business processes. A misjudgment such as unwarranted encryption of partner information has the potential to impact operations severely. While the emphasis is on data protection, user-centricity must always be at the forefront. Encryption is the last part of the Run Phase because organizations must clearly understand the business processes; you don’t want to inadvertently encrypt partner content and stop half the organization from working. 


From on-prem to the cloud, companies have hundreds of data containers with unstructured and sensitive information available to almost any employee who wants to obtain it. According to IBM, “The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over three years,” and “82% of breaches involved data stored in the cloud.” The seemingly daunting task is to identify, classify, and secure this information from individuals who don’t have the credentials to access it. However, there is a mapping process that continues to yield success when implementing it in slowly progressing stages.

When identifying and classifying thousands of documents, organizations must realize that technical implementation isn’t easy. Developing the proper procedure to ensure the data protection project has long-term success remains the challenge, and communication is paramount. 

Constantly informing users of the project’s importance and business impact is crucial—right up to the go-live stages through the post-implementation phase for follow-up and feedback. The process is not gazelle-like, where a newborn starts to run immediately; it’s the crawl, walk, and run stages we are all familiar with. Organizations that follow this process will find success in identifying and securing their data. Those who attempt to run before they crawl will see limited adoption and extreme user pushback. 

By Graham Hosking, Solutions Director – Compliance at Quorum Cyber

Graham Hosking is Solutions Director – Compliance for Quorum Cyber. Graham has over 20  years of experience delivering technology strategies for business teams in the public sector, and commercial enterprises. Prior experience includes 6 years at Microsoft, where responsibilities included leading strategic business workshops and presenting in-depth technical demonstrations focused on security (Microsoft Defender) and compliance (Microsoft Purview). Understanding of regulations and assessments such as GDPR, NIST, SEC, ISO etc, how these align to best practices for technology adoption. He holds multiple certifications in Microsoft solutions and Prosci change management, and is a Microsoft Certified Trainer (MCT).

Related Articles

Latest Articles