Over the years I have spoken to organizations of all shapes and sizes about how to address their IT security challenges. Often my work has involved driving a change of focus — from trying to prevent attacks, to looking at how to protect their core data assets.
Today, we are seeing security spending as high as ever, but the number of breaches continues to go up. It’s not hard to understand why — as technology becomes more and more complex, more can also go wrong. The computer landscape used to look like office blocks, each with doors and windows that could be secured. Now it looks more like a small city, complete with complex communications networks and underground tunnels.
This is not something new to be fair, but the important point is that it is getting more complex all the time. If ever it was possible to create a one hundred percent secure boundary around a business, its computer systems and networks, it certainly is no longer.
This is why, when I talk to the businesses we work with, one of the first questions I ask is, “What are you trying to protect?” It’s a straightforward enough question perhaps, but it isn’t very easy to answer. Despite this, working out an answer is one of the most fundamental things an organization can do towards making itself secure.
It makes the topic of security very tangible, very quickly. In breach-oriented thinking, focus is on the devices – mobile phones, email systems, routers, firewalls, virtual machines and so on. With data orientation, however, thinking moves to topics like customer data, IP assets, process information and so on.
While employee records will be a must for everyone, some organizations may actually have very little they want to keep private. In which case, good luck to them. The majority should be able to rank the information they hold, aiming at identifying a small subset that is absolutely confidential and a larger pool of less sensitive information.
Working this out to any extent enables another question to be asked – what happens if the data is revealed rendered inaccessible or otherwise tampered with? Having the right contingency plans in place could enable an organization to keep its reputation, or even remain in business, following a security breach.
Breaches will continue to happen – to expect otherwise would be unrealistic. But as their scale and complexity grows, focusing on them first would take up all an organization’s IT security bandwidth. A better starting point is to know what you are trying to protect.
If you could only have a plan in place to protect at least your most important data assets, you will have a much more solid foundation to build on than a significant proportion of the organizations I see.
To learn more, visit securethebreach.com.
