When many organizations think about information security, they think in terms of technology. “Do we have encryption? Are our passwords secure? Is multifactor authentication in place?” These questions are helpful as they focus on critical basic security controls that are important for almost every organization. However, this control-based approach typically fails to answer the most crucial question: What do we care about securing?
Answering that question requires a deeper examination of several areas:
- Understanding organizational objectives: What level of risk can we tolerate? What requirements are imposed on us by external regulations or customer expectations?
- Identifying high-value information assets: What and where are our crown jewels? What information is worth protecting with more effort than everything else?
- Assessing risks and threats: What dangers exist in the world? How likely are they to happen to us? What is the impact if they do happen?
- Reviewing security options: What options do we have to mitigate risks? What’s the cost of these mitigations financially and in terms of workflow efficiency?
- Selecting and implementing controls: With all questions answered, leaders must then decide on a path forward that maximizes security effectiveness while minimizing cost and often includes informed acceptance of residual risk.
Let’s look at each of these areas in a little more detail.
Understanding organizational objectives
All strategy starts with understanding and selecting objectives. For example, retinal scanners and airlock entry may be overkill if you have an empty warehouse. If there is nothing in the warehouse of value, it isn’t essential to keep unauthorized people out. Instead, invest your limited resources in a decent fire suppression system to protect the building itself, and just put a simple padlock on the front door. On the other hand, if the warehouse holds gold bars, it may make sense to have more effective security. Information security is the same; organizations typically face risks or requirements in five categories: strategic, operational, financial, regulatory, and reputational. Depending on the organization, the industry, the financial situation, and the client base, each of these categories may be more or less important, and the organization may adopt a stance ranging from risk-seeking to highly risk-averse. For example, a company with a first-mover advantage in a new innovative space may take a risk-seeking approach to stay ahead of its competitors. However, they may be risk-averse financially because they have not yet reached profitability. The specific objectives and risk tolerances are always situational and ultimately depend on the organization’s overall strategy.
Identifying high-value information assets
Step two is understanding which information is most valuable. “Valuable” in this case has two meanings: valuable to the organization and valuable to an outside attacker. From an organizational perspective, valuable information might include processes or datasets that give the organization a competitive advantage, customer lists, pricing information, or its version of the Coca-Cola recipe. For an attacker, valuable information could be the names, addresses, and direct-deposit account numbers in an HR system, which might be used for identity theft, or access credentials to infrastructure systems that make a ransomware attack easier to execute. Less valuable information may include internal reports, scheduling emails, and project plans – useful material for making a business run but not a source of strategic advantage and not of much interest to external parties.
Assessing risks and threats
Once high-value information assets have been identified, step three is to understand risks and threats. This typically takes place via a risk assessment process that starts with the development of a list of possible threats, including external (such as hackers or malware), internal (such as disgruntled employees or accidental information disclosures), and environmental (such as an office fire destroying the server room). Each threat is assessed based on its likelihood of happening, given the organization’s current level of security controls and the environment in which it operates. Consider each threat based on its level of impact if it happened, considering the organization’s tolerance for different types of risks. For example, it is almost impossible to block all phishing emails, and an untrained staff member will almost certainly click on a phishing link eventually, so phishing attacks might rate as “almost certain” from a likelihood standpoint. For impact, the type of organization needs to be considered; a manufacturing company might lose millions of dollars per day if ransomware shuts down production, but a consulting firm can probably deliver their products a few days late after their files are restored from backup. The manufacturing firm faces a very high impact and should go to great lengths to defend their production line, perhaps even building an air-gapped network for those machines. The consulting firm is much less exposed and needs a reliable backup system. For both organizations, training for employees can reduce the likelihood of the threat, but the approaches to reduce impact are often much more situational.
Reviewing security options
The next step is determining what security tools are available and how intrusive they are to users and their daily workflows. For example, conditional access controls, like checking that login IP addresses come from a country where you have users, are very low impact; most users will not even notice them unless they try to work while on vacation. This kind of control is inexpensive, easy to implement, and has little impact on workflow. On the other hand, data loss prevention systems often require users to classify the data they transmit and the documents they create, including a significant up-front effort to classify existing data. These systems significantly impact workflows because they block certain communications or require approvals to send specific information to partners or collaborators. This dramatically reduces the risk that users will unintentionally divulge confidential information to the wrong people, but it comes at a cost to efficiency and responsiveness. This kind of control makes sense for the most sensitive data that the company handles or if a data classification system is required for compliance or a security certification that satisfies customer scrutiny. The level of security controls must be matched with the sensitivity of data and the impact of threats and risks.
Selecting and implementing controls
Equipped with the information from the first four steps, information security leaders can then make informed decisions on which security controls to implement to achieve the most effective and efficient security program.
Following this process, an organization can selectively prioritize systems and information for the highest level of protection while providing a solid baseline of low-cost, high-impact controls that apply across all system