We have sensitive content everywhere and no consistent classification
The CISO is preparing for an audit and finds the company has no consistent way of identifying its sensitive content. Merger documents, customer personal data, and HR records sit in SharePoint and OneDrive without labels and without rules to block risky sharing. The CISO has six months to show a defensible classification baseline.
Trigger — Audit preparation; no consistent content classification.
Good outcome — Every document is labelled at the right sensitivity level, automatically where possible. Risky sharing is blocked or warned on, and the auditor sees a working classification programme instead of a list of hopes.