Many CIOs dream of applying automated classification to any data generated in the enterprise. The overriding goal: to ensure the organization can apply more of its scarce security resources to protecting its most sensitive data.

Keep dreaming: Outside of the government, few organizations report much success with enterprise-wide information classification programs. “It’s a cornerstone of information security, but it’s a project from hell. No one wants to do anything about it,” says Nick Frost, senior research consultant for Information Security Forum in London. Typical challenges include too many classification schemas, overly manual processes, poor user buy-in - if not outright resistance - as well as legacy data.

Why classify any data at all? Two words: legislation and regulations. Not to mention a lingering feeling “by security professionals that they should be doing this anyway,” says Frost. “But what certainly helped implement this was the legal liability and penalties.” Those legal liabilities come via such regulations as HIPAA, Safe Harbor, GLBA, the Protection Directive in Europe and even stronger regulations in countries such as Germany.

But regulations are just the start. Other drivers include improving document retention practices, data security, e-discovery, as well as operating efficiency. According to Mark D. Rasch, managing director of technology for FTI in Washington, D.C. and former lead prosecutor for the Department of Justice’s computer crime cases, “if you don’t know what you’ve got, and how important it is, you don’t know how long to keep it, and as a result, you tend to keep everything, and that’s extremely costly in terms of storage as well as potential data loss, and for litigation.”

Future technology may solve all of these issues by fully automating data classification. But experts say those days are a good decade away. In the interim, they offer these 10 tips for data classification:

1) Avoid “All or Nothing” Thinking

Know that at the start, classifying everything will be impossible. “It’s difficult for a lot of people in information security who come from scientific or engineering backgrounds to accept that you’re not going to be able to classify all of your information,” says Frost. As a result, many choose to not classify anything at all. Avoid this kind of top-down, all-or-nothing thinking. In fact, he says, the most successful organizations have introduced data classification very slowly.

Even in mature programs, classification may still be used sparingly. “You can say, we’ll just classify everything as sensitive, but that does no good,” says Rasch. He dubs this the Yankee Stadium Syndrome: “when one person stands up, they can see better, but when everyone stands up, no one can see better.”

2) Think Small

When starting out, “pick a small number of classification categories,” recommends Fred Avolio, an 18-year computer and network security veteran currently working for Johns Hopkins University, and make them easy to understand. What are common categories? “For most companies, we are probably talking about Company Confidential, Personnel Confidential, Client Confidential and Restricted Distribution.” And do substitute the actual company name - “Acme Corp. Confidential” - where appropriate.

3) Be Relevant

Naming classifications, however, is only the starting point. “You really need to back it up with specific examples” that are relevant to any given group of users, says Frost. As this implies, the exact meaning of classifications often varies by business group, since “client confidential,” for example, naturally means different things to sales, business development and IT teams.

4) Find Guinea Pigs

The best way to begin a data classification program is to find receptive business groups. Human resources and the legal team are two likely candidates, since they will be storing information governed by numerous regulations and restrictions.

The next goal will be to advance beyond a “thou shalt classify” to a “how to classify” culture. Armed services intelligence agencies do this particularly well, says Frost. “In these military groups, they say they learn from their colleagues - not just from the security professionals.”

5) Ignore the Past

When getting a data classification program up and running, of course there will be old, unclassified data. Ignore it. Frost says companies with the most successful data classification programs “start off classifying just what is new.”

6) Follow Policies

“A common mistake is having a data classification policy and not following it,” says Rasch. “I’d rather you not have a policy if you’re not going to do it, because if you have a policy that says you have to do it and you don’t do it, then you have double-trouble,” especially when it comes to data breaches, e-discovery requests, litigation holds or a regulatory audit.

7) Track Requirements

Maintain a list of all classification drivers and their requirements. These often include privacy laws, export restrictions, data retention requirements, customer details and product-development information. “Many of these classifications will overlap,” notes Rasch. “So you may have one document that has multiple classifications on it, some of which expire and some of which may continue. That’s what makes data classification more than trivial.”

8) Know Your Enemy

Data classification is not an abstract exercise. “Know your adversary,” says Avolio. “Who is after your information? Who would benefit? What would an adversary spend to get it? How much would an adversary benefit?”

Also beware of the so-called matrix theory, an espionage tactic “where if you take enough benign information, you can learn a trade secret,” says Rasch. A simple example: “You know A is talking to B, and B immediately talks to C, then you know about relationships between people.”

9) Fine-Tune Penalties

Prepare for potential internal resistance. “You’re starting with the assumption that people want to classify stuff. What do you do if they’re trying to avoid it?” notes Rasch.

One technique for enforcing data classification used by some intelligence agencies is to take a penalty approach, similar to a driver’s license model: Too many incorrect data classifications, or a failure to classify classified data, and the employee gets hit with points. Reach 12 points, and your security clearance is downgraded. Meaning you’re probably out of a job.

10) Put Classifications to Work

Beyond using data classification to satisfy regulatory requirements, also stress the business upsides to internal users. “Classifying information also offers organizations a huge amount of opportunity,” says Frost. One example he offers is a company that requires its employees to tag all “commercial” (business-related) information. This designation is then added to the file properties of relevant Word documents, Excel spreadsheets and e-mails. Meanwhile, automated backup software trolls all hard drives, backing up files tagged as “commercial” on a daily basis. Thus the company ensures it has current backups of business-critical information, and tackles the rest - overwhelmingly, personal e-mails, photos, and music - via monthly whole-disk backups.

Remember the Business Rationale

As the above strategies make clear, data classification mostly remains a manual endeavor. Yet it need not be overly complex to be successful. Indeed, with a little user buy-in, even a small information classification program can have a big business upside.

Mathew Schwartz is a freelance business and technology journalist who regularly covers IT, information security, and compliance trends.