You cannot develop an effective information security program without understanding what it is you are protecting, or why attackers would want to obtain or harm it. Understanding your vital assets, in the context of information security, is the focus of this chapter.
To start, you need to understand what matters most to your company’s leaders. While that sounds simple and obvious, I have lost count of the number of security leaders who do not have a clue as to the priorities of their company’s executives. Instead, they are wrapped around the axle of implementing all the controls in a complex security framework such as ISO 27001/27002 or NIST 800–53, and are constantly surprised when their peers and CEO do not see them as a partner in helping the business succeed.
As the security leader, you need to develop relationships with your peers and the heads of all the major business functions (finance, HR, sales, production, etc.) in order to be effective. If you have not already done so, schedule interviews with each of them to understand what they do and what their pain points/concerns are regarding cybersecurity.
Use these sessions to develop an understanding of what matters to the business. What are the “Crown Jewels”? Don’t attempt to get all the information I detail below in a single sitting from each session. Rather, build a picture over time, confirming the information you gain from one person with others as you hold your meetings.
To develop an effective and business-aligned security program, there are five major things regarding the business you need to understand. These are:
What you want to know, without asking in such a way as to make you appear clueless, is how the people you are talking to view the company’s mission, customers, and markets. Use this feedback to confirm the understanding you should have developed when researching the company before you joined.
You want to confirm that there is not a mission or agenda in play that you might not be aware of. For example, a plan to change the company’s mission or products, to acquire other companies to grow into new markets, or to be acquired. For startups especially, these options are a distinct possibility. Just because a company’s marketing literature firmly states, “We deliver the best <whatever>!”, does not mean that will always be the case.
Building your relationship with the other executives as a business partner starters by understanding the business and where the leaders intend to take it. Until you can gain the trust of these executives, you will constantly be in a reactive mode, reacting to events and decisions that have been made without your input.
Next, you want to discover how the company makes money, which will generally be from your conversations with finance and sales executives. What you want to know is what products or services do they sell? Which sells the most? Which products or services matter most from a revenue and profitability perspective?
If your company sells products and services to specific companies vs the public, you will also want to know who your major customers and markets are.
As you learn what is important, you will begin to fit the puzzle pieces together in your quest to identify the “Crown Jewels”. These are those assets that are vital to the revenues and the operations of the company, or data whose disclosure can cause serious repercussions to the company’s operations or reputation.
The best way to identify what data is important, it to look at it from the perspective of high-level categories of information. The aim at this point is not to identify what systems this data resides on (that comes next) or to get into all the details regarding the data, but to understand what is in scope. A simple ‘yes’ (we have it) or ‘no’ (we don’t) answer will suffice at this stage. The broad categories of sensitive data you want to identify are:
- Personally Identifiable Information (PII). This is a general term that is used to describe any form of sensitive data that could identify an individual. PII has historically been known to just include social security numbers, phone numbers, mailing or email addresses, or driver’s licenses. However, as technology and software have advanced, and associated breach reporting regulations, the breadth of PII has also expanded. PII can also include login IDs, digital images, IP addresses, social media posts, and other digital forms of data.
- Protected Health Information (PHI). This would include any medical information that might identify an individual’s use of healthcare services, including both diagnosis or treatments.
- Intellectual Property (IP). This includes all assets such as copyrights, patents, trademarks, and trade secrets that are vital to the operations or success of the business.
- Cardholder Data (CD). Cardholder data is any personally identifiable information (PII) associated with a person who has a credit or debit card. This data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date, or service code.
- Sensitive Operational Data. All information that is vital to the operation of the business, including financial data, logistical data (depending on the business), customer information, etc.
- Other Reportable or Sensitive Data. This includes classified information (if work with the government or defense industry), legally privileged information, data relating to a company that could impact the company’s share price, etc. Your concern is to identify anything that could cause you to notify either the government, your customers, or partners, should someone steal or inappropriately access the information.
As you determine whether the company uses or maintains any of the categories of sensitive data discussed above, you will probably discuss the systems that use this data, and the role that these systems play in the company’s operations. This can range from HR systems to internal IT systems used for production to external Software as a Service (SaaS) systems that are used for client tracking or marketing.
To help non-technical business leaders identify what systems are important, help them think about what the business impacts could be if they were not available. Could the company operate if they could not exchange email? If they could not produce their products or deliver their services? If they could not pay their suppliers or their employees? All of these can prompt an “a-ha” moment and help highlight potentially critical systems.
Besides 3rd party SaaS applications which are vital to running the business, there may also be 3rd party partners who are equally vital to your company’s business operations. These can range from call centers that handle customer support and backroom processing, to suppliers of critical components or raw goods, to distributors or sellers of your products or services.
Make sure that you start a list of these as well, as you will need this information as a starting point for setting up your 3rd party risk management function.
This is a draft of the content from my upcoming book on Heuristic Risk Management. The anticipated release is Q1 of 2022 and it will be available through all major book retailers in both print and ebook. Reference links are not included in these drafts, and all drafts will be removed from this forum when the book is published. Comments are welcome if there are areas that you feel are unclear or missing information. Since these are drafts, spelling and grammar issues are likely and will be corrected in the final release.