The trick to protecting sensitive data is understanding not all business information must be protected.

Even organizations that understand the need for robust information security spend heavily on software and hardware without measuring its return on investment (ROI), only to still fail at safeguarding the most sensitive information that’s the lifeblood of their business because they failed to define what it is before apply security controls.

If you want to adequately protect your most valuable data, you must understand which business information is most critical to your bottom line.

Not all data is equal

It’s seems counter-intuitive, but the reason information security often fails to protect sensitive data is the mistaken belief that all information must be protected equally. Even before the pandemic and remote work became the norm, distributed workers, branch offices, mobile devices, and the evolving Internet of Things (IoT) meant organizations have had to become smarter about how they secure sensitive data. Now it’s more important than ever to make the business case for information security.

The business case isn’t a request for a bigger information security or more technology. Rather, it’s about identifying sensitive data, understanding its value, and being clear about what’s necessary to protect it. You need to operationalize a change in mindset that delivers ROI and protects the sensitive data that powers your business.  However, it can be difficult for organizations to step back and understand what data is the most valuable when it’s growing exponentially.

One thing is for certain, however: Trying to protect every single bit of data equally isn’t cost effective.

Sensitive data must be defined to be protected

If organizations are to marshal their information security resources effectively, they must narrow their scope and define what constitutes sensitive information. While the definition can be guided by compliance and regulator obligations, it’s just as important to figure what data constitutes as a critical asset to the business.

Just as a fleet of trucks are critical assets for a transportation company, every business today has stored information that is critical to daily operations—that’s the sensitive data that must be protected. Otherwise, there are financial repercussions in the form of lost competitive advantage and fines for non-compliance, both of which lead to lost revenue, as do settlements from litigation and damaged reputations.

While compliance obligations and privacy legislation do dictate that some information be prioritized by information security strategies, they’re just the beginning. A healthcare organization that may have all their patient data effectively secured but not have all their research data protected—it’s just as valuable as it may support patent application or attract grant money, and has the potential to generate revenue. Personally Identifiable Information (PII) is always an obvious candidate for protection because compliance and regulatory frameworks deem it as sensitive, but intellectual property or data that’s essential to running your business is just as critical.

Treat sensitive data like a business asset

If you want get ROI from your information security spending, you need to think differently. You must understand your data on a deeper level so you can assign a value to it. There’s plenty of information residing in your organization that won’t cripple your organization if it’s lost. But your sensitive data must be assigned appropriate valuations that will be the of a business case for information security spending.

Getting an ROI on your information security spending is about anticipating incidents that haven’t happened yet, much like an insurance company considers the likelihood of natural disasters. To determine sensitive data and its value, you must weigh the cost of the protections you put in place with the financial impact of any breach and its likely frequency.

The simplest approach its to categorize data in three ways: data can be shared freely; sensitive data that can be shared with certain audiences in specific ways, and data that must remain confidential to the organization and never shared. The process of segmented and prioritizing data enables to apply the appropriate information security controls, so you understand the complete lifecycle of all data and adequately protect it based on the repercussions of losing it.

Treating sensitive data like a business asset enables you to make the case for information security so ROI can be effectively measured so can protect these valuable assets as you would any other important investment.