The first thing we usually ask new clients is: What are you defending?
Exploring that simple question allows us to understand how clients consider, and value, their assets. It helps to focus on what is really important to an organisation.
But what is an asset? Even the venerable ISO 27001, an international standard for information security management, is surprisingly light on a meaningful definition.
Formal risk assessment methods use different definitions, usually around ‘things of value’; although these are often vague, and don’t offer advice on how to identify and measure them.
There is almost always confusion between assets as a thing that can be compromised and the valuable things that an organisation needs to succeed. The former are tangible things: servers, networks, and so on. The latter may be less tangible: the collective effort of an organisation’s people (often described as ‘our greatest asset’), or brand loyalty.
“People are influenced more by what is immediately observable than by factors that are hypothetical or distant, such as something that could happen in the future or is happening far away.” – Tangible & Abstract bias, by the McCombs School of Business
This bias toward the observable, rather than the abstract, can affect someone’s analysis of risk. Phrases like: “We’ve never had an incident like that,” or “No-one has exploited that vulnerability before” during risk management discussions are the sorts of phrases that ring alarm bells when we hear them.
The thing is, many teams have already succumbed to this bias before they even get to the analysis stage. Starting from IT asset management tools can lead to complexity and tends towards massive bottom-up exercises to catalogue and classify missing IT assets. And other, more abstract assets, get missed out because they are ‘too hard’ to measure.
Assets aren’t always the obvious things
At Cydea our definition of an asset is a pretty broad one, and courtesy of the Collins Dictionary:
We use it as broad categories of assets at the top level - sometimes almost conceptual in nature: customer information, or cash; things that allow us to quickly build top-down models to help quantify the cyber risk of an organisation.
That’s because, while bottom-up views are important (you can only deploy anti-malware software to devices you know about), the sum of those views is much clearer if you’re looking from top-down sources, like annual reports.
And it’s not as difficult as you might think to put values on a wide range of assets. One client security team we worked with were adamant: “Our reputation is intangible, it’s not something that we can assign a value to, it’s just too difficult”.
After a short conversation with the client’s comms and marketing team, we learned that they ran regular brand awareness and trust surveys to understand public perception. They shared the results and analysis of their marketing and revenue performance. So we did find an answer. And it was something that could be tapped into for future updates, too.
From top-down, you can see into the cracks
Looking top-down makes it easier to conduct assessments at different levels (e.g. enterprise, business unit or system-level), depending on the project requirements.
We use estimation and assumption to strike the right balance so that we can quickly get to a sensible, quantifiable and improvable overview of both the observable and the less tangible assets in an organisation.
It’s also faster.
Typically we get to a ‘minimum viable product’ (MVP) version of an assessment during our first sprint. From there, as we understand more and gather more data, we can improve the accuracy of the analysis.
That understanding comes from engaging wider business teams in the process and drawing on their expertise. How, and what, do they observe in their day-to-day work? What are their key performance indicators? What are the economic drivers of their activities?
Better security outcomes
Ultimately this top-down approach to assets and engagement of business teams helps to tie the cyber risk assessment, and security outcomes, to the activities and goals of the organisation. It means we can be more confident in the alignment of cyber security teams with the priorities of their business colleagues.
It also means that you’re better placed to answer if you’re doing the right things in the right places.
So, what are you defending, and how might you be able to measure its value?
Want more of this? Sign up to our regular newsletter...