The expanding digital business means expanding cyber risk. Digital disruption has made its way into every industry and if there is one thing executives are grappling with, is the continuous increase in cyber-attacks. An enterprise-wide and holistic approach to cybersecurity is now a common agenda in industry board rooms. Even though organizations are strengthening measures to protect their business, attacks are getting even more sophisticated. Government bodies are also not behind and trying to catch up with new and enhanced regulations, demanding better measures and privacy controls.
Weak assessments tend to result in weak security controls. Risk reduction activities can be effective only when cyber risk is properly understood, when it is looked at from multiple angles and all dimensions have been analyzed. Mostly cyber risk assessments and reporting are inadequate and if the vendor or in-house team is not well versed, the controls implemented to mitigate the risk will not provide sufficient coverage. This results in an imbalanced outcome where areas that don’t need attention are overprotected and the ones that need attention remain exposed.
Businesses need to understand risk in business terms. One of the major reasons behind this is for long cyber risk is seen only from a technology lens. As per a recentTenable-Forrester+1 study titled “The Rise of The Business Aligned Security Executive” fewer than 50% of security leaders are framing the impact of cybersecurity threats within the context of specific business risk. There has been a wide disconnect in the boardroom where technology impact is well understood, seldom an adequate measure of business impact exists, and in most cases, the answer to the latter has been a wild goose chase.
Security and Business teams meet at the Crown Jewels. In today’s environment, it is imperative to provide business context to cyber risk for facilitating sound decisions and tailored approaches for risk mitigation. Organizations must focus to protect the ones which add more value to a business than the ones which add little. So how should an organization find what matters to them most? What adds value to their business? While the answer to this question is long, one can always start with identifying what is nowadays referred to as Cyber Crown Jewels (CCJ) or Mission Critical Assets (MCA). These are IT assets which if compromised during a cyber-attack can possibly cripple an organization's operation. In other words, these are the assets that MUST be protected for operational continuity.
Identifying Crown Jewels is possible through teamwork. Identifying crown jewels is not as easy as its looks, it needs business and technology folks to come together, the business should identify the processes, the data that is vital to its function, and technology folks should identify the systems, network, and applications that support these business processes.
Some of the considerations for a comprehensive analysis must include –
Discover assets. Start with asset discovery because “you cannot protect what you don’t know”. Before embarking on Crown Jewel Analysis prepare a comprehensive inventory of all your IT assets.
Identify what is critical
Not everything will be critical, industry parameters recommend that crown jewels may represent just 2% of your business, but they may dominate 70-80% of your business value.
Include third parties
It is very important to acknowledge that crown jewels can exist anywhere even beyond the perimeter of the organization with your employees virtually everywhere and partners mostly on the cloud. It is critical to monitor assets that reside with third parties or business partners to ensure that they are equally protected.
Understand loss impacts not just continuity
Most of the organizations prioritize Crown Jewels aligned with Business Continuity Plan, while it serves as a good starting point, it may lead to the actual crown jewels being ignored. Look at your assets from the lens of an attacker. For example, an email server may not be critical to business but the amount of sensitive data it may hold makes it a lucrative target for hackers.
Know where your data is
Eliminate “Data Blind Spots”- Organization’s data is no more confined within walls, more and more data are being shared with the third parties and partners. One can start with something as simple as data discovery aided by several products and tools in the market.
Crown Jewel Analysis can be a large, resource-intensive, and time-consuming exercise but critical to building a security program that provides sufficient coverage. There is no one-size-fits-all when it comes to Crown Jewel Analysis. Look to the MITRE Crown Jewel Analysis as a good starting point.
Value industry knowledge. In an organization every department has its goals and responsibilities and often getting business and technology folks on the same table becomes a challenge on its own. Best practice says to hire experienced consultants to drive such an important initiative who can have a laser-focused and structured approach to bring efficiency and value out of this initiative. Be careful in identifying such consultants. Look for consultants who bring Industry expertise in your kind of business and prioritize cyber security depth as well.