Why don't we classify data very well? How can we do it better?

As I prepare for our next CISO Executive Network roundtable series on Information Life Cycle Management I'm pondering a lot of issues that don't seem to get resolved when it comes to Data Protection.

One of the major issues I've always struggled with is DATA CLASSIFICATION.  When I worked in the US Intelligence Community it was all spelled out so neatly.  There were clear classifications and data had to be handled in very specific ways depending on the classification level.  Everything was labeled and everyone knew what to do.

The commercial world has been fighting data classification efforts for as long as I can remember.  In my experience, the resistance to this effort it's primarily because it's time consuming, it's hard to get agreement on the classification levels, and it's costly.  I also think that executives don't really understand the importance of doing it.

For me and many of our members it is very obvious why data classification is necessary:  you can't really afford to protect everyting at the same level.  And, yet, that's often what we end up doing. We can't agree to classification levels so we put it all in the same "bucket" and try to protect it all. 

I'd like to hear from our members on this issue. What is the best way to classify information?  How many levels make sense?  If we get management to agree to levels, can we get users to abide by those levels?  Can we automate the classifcation process?  What are the solutions we should be using: encryption, digital rights management, etc?

If you have ideas, I know our members would appreciate hearing them.  Jump on our LinkedIn Discussion Group and get involved in our thread on this topic.

Our Executive Breakfast Roundtable series on this topic begins in DC on August 28.  You may register now for the series from your Chapter home page.