Understand Your Business: What Are You Protecting?Chapter 1 of the Upcoming Book "Heuristic Risk Management" by Michael Lines
Learn about an effective approach for setting up a risk-based information security program from CyberEdBoard executive member Michael Lines.
See Also: Stopping BEC and EAC
Michael Lines is working with Information Security Media Group to promote awareness of the need for cyber risk management, and as a part of that initiative, the CyberEdBoard will post draft chapters from his upcoming book, "Heuristic Risk Management: Be Aware, Get Prepared, Defend Yourself."
Alice: "Would you tell me, please, which way I ought to go from here?"
The Cheshire Cat: "That depends a good deal on where you want to get to."
Alice: "I don’t much care where."
The Cheshire Cat: "Then it doesn’t much matter which way you go."
–Lewis Carroll, "Alice in Wonderland"
In this chapter, I will discuss what you need to know to develop an effective program to protect your company from cyberthreats.
To start, you need to understand what matters most to your company’s leaders. While that sounds simple and obvious, I have lost count of the number of security leaders who do not have a clue as to the priorities of their company’s executives. Instead, they are wrapped around the axle of implementing or managing a security framework such as ISO or NIST and are constantly surprised when their peers and CEO do not see them as a partner in helping the business succeed.
As you start in your role as the CISO or other security leader, you need to develop relationships with your peers and the leaders of all the major business functions – finance, HR, sales, production, etc. Start scheduling interviews with each, to understand what they do, and what their pain points/concerns are regarding cybersecurity.
Also, use these sessions to develop an understanding of what matters to the business. What are the “crown jewels”? Don’t attempt to get all the information I detail below in a single sitting from each session. Rather, build a picture over time, confirming the information you gain from one person with others as you hold your meetings.
To develop an effective and business-aligned security program, there are five major things regarding the business you need to understand. These are:
What you want to know, without asking in such a way as to make you appear clueless, is how the people you are talking to view the company’s mission, customers and markets. Use this feedback to confirm the understanding you should have developed when researching the company before you joined.
You want to confirm that there is not a mission or agenda in play that you might not be aware of. For example, a plan to change the company’s mission or products, to acquire other companies to grow into new markets, or to be acquired. For startups especially, these options are a distinct possibility. Just because a company’s marketing literature firmly states, "We deliver the best (whatever)!" does not mean that will always be the case.
Next, you want to discover how the company makes money, which will generally be from your conversations with finance and sales executives. What you want to know is: What products or services do they sell? Which sells the most? Which products or services matter most from a revenue and profitability perspective?
If your company sells products and services to specific companies rather than the public, you will also want to know who your major customers and/or markets are.
As you learn what is important, you will begin to fit the puzzle pieces together in your quest to identify the “crown jewels." These are those assets that are vital to the revenues and the operations of the company, or data whose disclosure can cause serious repercussions to the company’s operations or reputation.
The best way to identify what data is important, it to look at it from the perspective of high-level categories of information. The aim at this point is not to identify what systems this data resides on (that comes next) or to get into all the details regarding the data, but to understand what is in scope. A simple "yes" (we have it) or "no" (we don’t) answer will suffice at this stage. The broad categories of sensitive data you want to identify are:
- Personally Identifiable Information (PII): This is a general term that is used to describe any form of sensitive data that could identify an individual. PII has historically been known to just include Social Security numbers, phone numbers, mailing or email addresses, or driver’s licenses. But as technology and software have advanced, along with associated breach reporting regulations, the breadth of PII has also expanded. PII can also include login IDs, digital images, IP addresses, social media posts and other digital forms of data.
- Protected Health Information (PHI): This would include any medical information that might identify an individual’s use of healthcare services, including both diagnosis and treatments.
- Intellectual Property (IP): This includes all assets such as copyrights, patents, trademarks and trade secrets that are vital to the operations or success of the business.
- Cardholder Data (CD): Cardholder data is any personally identifiable information (PII) associated with a person who has a credit or debit card. This data includes the primary account number (PAN) along with any of the following data types: cardholder name, expiration date or service code.
- Sensitive Operational Data: All information that is vital to the operation of the business, including financial data, logistical data - depending on the business, customer information, etc.
- Other Reportable or Sensitive Data: This includes classified information - if the company works with the government or defense industry, legally privileged information, data relating to a company that could affect the company’s share price, etc. It's anything that could cause you to notify either the government, your customers or partners, should the information be lost, damaged or inappropriately accessed.
As you determine whether the company uses or maintains any of the categories of sensitive data discussed above, you will probably discuss the systems that this data is associated with, and the role that these systems play in the company’s operations. This can range from HR systems to internal IT systems used for production to external Software as a Service (SaaS) systems that are used for client tracking or marketing.
To help nontechnical business leaders identify what systems are important, help them think about what the business impacts could be if they were not available. Could the company operate if individuals could not exchange email? If it could not produce its products or deliver its services? If it could not pay its suppliers or their employees? All of these can prompt an “aha moment" and help highlight potentially critical systems.
Besides third-party SaaS applications that are vital to running the business, there may also be third-party partners who are equally vital to your company’s business operations. These can range from call centers that handle customer support and backroom processing, to suppliers of critical components or raw goods, to distributors or sellers of your products or services.
Make sure that you start a list of these as well, as you will need this information as a starting point for setting up your third-party risk management function.
In the next chapter, I will discuss knowing your enemies, or who is attacking you.
CyberEdBoard is ISMG’s premier members-only community of seniormost executives and thought leaders in the fields of security, risk, privacy and IT. CyberEdBoard provides executives with a powerful, peer-driven collaborative ecosystem, private meetings and a library of resources to address complex challenges shared by thousands of CISOs and senior security leaders located in 65 different countries worldwide.
Join the Community - CyberEdBoard.io.
Michael Lines is an information security executive with over 20 years of experience as a Chief Information Security Officer, or CISO, for large global organizations, including PricewaterhouseCoopers, Transition and FICO. In addition, he has led several advisory services practices, delivering security, risk and privacy professional services to major corporations. Lines writes, blogs, speaks at conferences and webinars, and provides interviews on a wide variety of information security topics, primarily concerning what it takes to develop and run effective information security programs and why so many companies continue to suffer security breaches due to ineffective risk management.