Organizations need to build a security culture to provide a suitable information-protection solution. In this chapter, you will get an overview of the four main pillars of security culture, which are leadership support, efficient training, ongoing testing, and continuous communication to the entire organization and its partners. If you don't establish a security culture, you will have difficulty being successful in every part of an information-protection strategy, because every employee needs to know what information needs to be protected. Furthermore, the introduction of security measures can result in high costs if they are not sufficiently planned and not supported by the management.

An additional focus in this chapter is data classification, as the classification of information provides the basis for most security mechanisms. The classification of information provides context for the factors that lead to security policies taking effect and triggering the right level of protection. Also, we will explain how applying the four main parts of a security culture leads to supporting the introduction of data classification. Finally, we will have our first contact with the Microsoft classification and protection solution to introduce the practical application in the following chapters.

This chapter covers the following topics:

• Why do we need a security culture?
• The four main pillars of a good security culture
• General overview of data classification
• Azure Information Protection (AIP) overview