Cybersecurity readiness starts by going back to the root of the issue: What are you protecting and what are the potential threats. When you understand what you are protecting and how cybersecurity works, you can then begin analyzing your whole cybersecurity protection program: How much you should be spending, how much you are investing, where you need to invest, and the cost-benefit trade-off.
In part one of SightGain’s Cyber Readiness Principles Series, let’s talk about how we can break down cybersecurity protection problems into fundamental building blocks for your organization. Watch the video below.
0:49 Personality-Based Systems
1:55 Questions to Help Protect Your Crown Jewels
3:22 How to Analyze Your Crown Jewels
In this video, I want to talk to you about a first principle that really gets to the heart and soul of the company: what is it that you are protecting?
We sometimes call this the data security crown jewels.
So the opportunity here is by understanding what it is you’re protecting, how much it’s worth, how it works, you can really start to analyze your whole cybersecurity program. How much you should be spending, how much you are investing where you need to invest, and the cost-benefit trade-off.
0:49 Cybersecurity Protection: Personality-Based Systems
Organizational inertia, it’s not until a big event or a big personality comes by that you actually start to do something. However, when it’s personality-based, there’s no analysis test happening at all. It’s just based on what this person says, whether it’s true or not, it doesn’t matter.
However, when it’s personality-based, it doesn’t mean things are going to happen in the right way. They might just make a convincing argument, but it doesn’t mean you spent your money in the right places, on the right things, or that you even needed to spend the money at all.
So I’d like to kind of share a story of a big organization that we worked with. I remember I was at a large federal organization. They were very much a compliance focus shop . 99% of their time would focus on the next compliance report, and ensuring that got correct.
So how did they make cybersecurity investment decisions? Personality. So it was no surprise that they had more tools than the Firestone garage, and then we found when we actually tested their performance, they had massive gaps in their overall posture and had to make further investments and refine their approach.
1:55 Cybersecurity Protection: Questions to Help Protect Your Crown Jewels
So how do you know you’re protecting your cybersecurity crown jewels? First, start with your business objectives. What is that organization there to do, and how does it do it? So that leads to the second, which is function. How do we achieve those objectives, and what technologies are involved, and what data is required in order to meet those objectives? And third, how are you protecting them? What systems do we have in place to try to make sure that we’re stopping threats as they come up against our business value?
So it’s really important to understand what your business objectives are, what is this organization trying to do, and then from that core, understand the functions and the operational parameters of how you achieve those objectives.
From those operational functions, we’ll be able to understand what system dependencies are in place and understand how that data flow occurs, and what systems are underpinning the overall operations.
And finally, what systems are in place to protect those very crown jewels? How do we make sure we have the right systems in the right place in order to analyze a performance that is necessary to make sure we achieve those business objectives.
More than any of the other first principles, this one requires leadership attention. We have to really understand the core of what that organization is there to do in order to understand how we should protect it and what things are required.
3:22 How to Analyze Your Crown Jewels
So how do we analyze your cybersecurity crown jewels? It starts first with your business objective. What is your organization there to do? How does it work? And what happens if certain things are shut off or not available?
From those business objectives, we then go into operational functions. How do those business objectives get achieved, what things are required to make it happen?
Finally, we look at system dependencies. What things underpin those objectives? What things work and make those features happen? And then from that system dependency, we can start to analyze cybersecurity performance.
It’s not until we understand all of those first things and those very core business objectives that we can actually analyze your cybersecurity in the context that is required to make sure you’re making the right investment decisions.
This is a core first principle in order to make sure your cybersecurity systems are working.
Find out more how we improve performance through this first principle and look at our other videos to understand the whole readiness platform.
Be sure to subscribe and click the link below or ask a question so that our cybersecurity readiness experts can answer at a moment’s notice.