Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

The Most Important Security Question No One Seems to be Able to Answer

Let me ask you a very simple question.

What is your organization’s sensitive data, and where is it?” 

Let me ask you a very simple question.

What is your organization’s sensitive data, and where is it?” 

You can’t shrug this two-part question off, although many security leaders have been doing just that for the last 10 years or more. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. So, let me talk this through. 

There should be no debate about the necessity of knowing the answer to these two critical questions on which all actual security is based. Come to think of it, it’s not just security. How does an organization conduct business without knowing what is critical and where that “something” is? Simple, it can’t. Are servers critical? Workstations? Badge readers? Filing cabinets? Or rather is it the things stored inside or the processes conducted by these things that matters?

Where is Your Sensitive Data?The answer varies from company to company, enterprise to enterprise, but one thing is certain– there are specific answers for your organization. Without those answers security has no choice but to treat every asset, from spreadsheet to paper file, as equally critical. This makes no sense, but when you don’t know any better, this is what you are stuck with. If this feels oddly familiar, it should. This is the way most of us do security today. 

This begs the question, why hasn’t anyone found a better way? The answer is unfortunately much the same for many of security’s biggest problems – it’s hard. It’s much simpler to address symptoms ad infinitum than it is to attempt a resolution at the root cause.

To be frank, to say this is a hard problem is a serious understatement. For many companies the answers to these questions are monumental, and seemingly impossible to answer. Imagine you’re a large international company with locations around the globe, remote employees consuming local and cloud services while working with corporate data on their mobile devices, thousands of servers, workstations and other components all over the place. Your organization is dynamic and regularly acquires and divests certain entities as the business climate changes. Now tell me, what and where are your critical assets and processes?

Easier said than done, right? But just because it’s absolutely difficult doesn’t mean we shouldn’t be trying like mad to answer these questions. Working towards these goals should be an organizational goal, not just that of security. Security should be a supporting function to the business, but if the security organization doesn’t have baseline knowledge of what they should be protecting – the cause is lost.

Good tools can help an effort like this. Bad tools can hinder. But in this case we seem to be working with a lack of tools. I can think of maybe one of two tools available in the market today that are built specifically to address this problem. Others like data loss prevention (DLP) tools are used because we’ve discovered that their side effect helps in identifying data. But, the issue is there is a distinct lack of tools. This doesn’t help the cause.

Advertisement. Scroll to continue reading.

If you were expecting me to offer up some simple and elegant solution for you – I don’t have one. What I can offer up is a lot of hard work, necessity for cooperation across business and IT, and what will feel like a never-ending project. The result, however, is a way to do security with purpose. 

Don’t get discouraged if the effort feels like more than you can do on your own. It will be. You’ll need to enlist support and hands from across the enterprise. You’ll want to set attainable goals and focus on critical parts of the organization first. Set a strategy. Build yourself a concentric ring model, and start at the most important parts and work your way out. Just quit using the “it’s hard” excuse because unless you figure this out, the rest of what you’re doing in security is running on a hamster wheel.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...