In an organisation of engineers – a long‑standing technical assurance organisation that applies rigorous standards, audits, and certification processes to complex, safety‑critical systems. This is an organisation that REALLY understands the concept of classification of ships, but did NOT have a concept of classification to denote the sensitivity of different document types and data.

Information Security wanted everyone to classify documents and data to improve data security and minimise inappropriate data leakage, but the business had no idea of why or how they should classify documents and data.

This was a classic case of having identified a technical solution, without any thought having been given to how to take business users on the journey to actively taking responsibility for managing sensitive documents and data such that they are only available and accessible to the right people.

The Information Security team had identified a business critical need to be able to classify documents and data within the knowledge worker ecosystem. As an established user of the Microsoft platform, they had identified Microsoft Information Protection (MIP) as the best solution for discovering, classifying, labelling, and protecting sensitive  information across their Microsoft 365, Azure, and third-party platforms.
The internal Information Security team had drafted a set of classification labels and engaged us to work with them to implement these in MIP and roll them out across the global workforce (approx 10,000 people in 75 countries).

As we engaged with the client it became clear that the InfoSec team had not engaged with the business in any meaningful way – to either explain why document classification was important or to understand how different parts of the business create and manage sensitive data in document form.

I worked with the InfoSec team to better understand the rationale and motivation behind the desire to introduce MIP / document classification. There had been a number of high profile document leaks and the InfoSec team had become aware that they had no understanding of where the organisation’s sensitive documents were being stored, who could access them or whether they were being managed appropriately.

I then carried out two Discovery workstreams:

• Technical Discovery – to help the InfoSec team understand the config options available in MIP and the business implications of different design approaches. This concluded in a draft MIP configuration / deployment approach – to ensure it met the (currently understood) technical requirements.
• Business Discovery – having helped the InfoSec team understand the business impact of ‘inflicting’ a document classification solution on the business – I engaged with a representative set of users from all key business areas – to identify broader business requirements for document labelling and protection / understand likely areas of resistance and start to identify potential advocates and champions for document classification.

Following Discovery – we fully reviewed the initially planned MIP configuration – making significant changes to ensure that it met both the InfoSec and wider business needs. I also created a comprehensive business adoption plan, designed to land MIP easily with the business and work around the likely areas of resistance that had been identified during business discovery. The adoption approach included:

• Tailored comms for different parts of the business / user types
• Simple and easy to use user guidance and adoption support – hosted in a SharePoint site – all content customised to the needs of this organisation
• Easy to use channel for users to raise queries or concerns and get a quick response.

We rolled out MIP using a phased approach

• Initial 6 weeks – Voluntary adoption of MIP to classify documents and data
• 6 months – Mandatory adoption of MIP to classify documents and data. This also gave the InfoSec the ability to report on where sensitive documents and data were being stored and how they were managed.
• Introduction of Document Protection controls associated with some of the most sensitive labels.

Deployment and adoption of MIP across the entire global workforce (approx 10,000 people in 75 countries) went really smoothly.

• Tiny number of support tickets or issues raised by end users related to the introduction of MIP – the client was very surprised – as previous introduction of InfoSec solutions had resulted in high numbers of tickets / lots of post-deployment remediation.
• Minimal resistance to the introduction of Document Protection controls associated with the most sensitive labels.

Overall the client was delighted. Whilst the time taken to deploy MIP took longer than they had originally anticipated, they put the success of the deployment down to the time taken to fully engage with the business prior to finalising the solution and the ‘new approach’ of creating a comprehensive user adoption plan alongside the technical deployment plan.

• Business Change Management & Communication
• Change Communications and Engagement
• Technical Consultancy
• Stakeholder Engagement

• Digital Enablement

• Business Services