Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

The Most Important Security Question No One Seems to be Able to Answer

Let me ask you a very simple question.

What is your organization’s sensitive data, and where is it?” 

Let me ask you a very simple question.

What is your organization’s sensitive data, and where is it?” 

You can’t shrug this two-part question off, although many security leaders have been doing just that for the last 10 years or more. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. So, let me talk this through. 

There should be no debate about the necessity of knowing the answer to these two critical questions on which all actual security is based. Come to think of it, it’s not just security. How does an organization conduct business without knowing what is critical and where that “something” is? Simple, it can’t. Are servers critical? Workstations? Badge readers? Filing cabinets? Or rather is it the things stored inside or the processes conducted by these things that matters?

Where is Your Sensitive Data?The answer varies from company to company, enterprise to enterprise, but one thing is certain– there are specific answers for your organization. Without those answers security has no choice but to treat every asset, from spreadsheet to paper file, as equally critical. This makes no sense, but when you don’t know any better, this is what you are stuck with. If this feels oddly familiar, it should. This is the way most of us do security today. 

This begs the question, why hasn’t anyone found a better way? The answer is unfortunately much the same for many of security’s biggest problems – it’s hard. It’s much simpler to address symptoms ad infinitum than it is to attempt a resolution at the root cause.

To be frank, to say this is a hard problem is a serious understatement. For many companies the answers to these questions are monumental, and seemingly impossible to answer. Imagine you’re a large international company with locations around the globe, remote employees consuming local and cloud services while working with corporate data on their mobile devices, thousands of servers, workstations and other components all over the place. Your organization is dynamic and regularly acquires and divests certain entities as the business climate changes. Now tell me, what and where are your critical assets and processes?

Easier said than done, right? But just because it’s absolutely difficult doesn’t mean we shouldn’t be trying like mad to answer these questions. Working towards these goals should be an organizational goal, not just that of security. Security should be a supporting function to the business, but if the security organization doesn’t have baseline knowledge of what they should be protecting – the cause is lost.

Good tools can help an effort like this. Bad tools can hinder. But in this case we seem to be working with a lack of tools. I can think of maybe one of two tools available in the market today that are built specifically to address this problem. Others like data loss prevention (DLP) tools are used because we’ve discovered that their side effect helps in identifying data. But, the issue is there is a distinct lack of tools. This doesn’t help the cause.

If you were expecting me to offer up some simple and elegant solution for you – I don’t have one. What I can offer up is a lot of hard work, necessity for cooperation across business and IT, and what will feel like a never-ending project. The result, however, is a way to do security with purpose. 

Don’t get discouraged if the effort feels like more than you can do on your own. It will be. You’ll need to enlist support and hands from across the enterprise. You’ll want to set attainable goals and focus on critical parts of the organization first. Set a strategy. Build yourself a concentric ring model, and start at the most important parts and work your way out. Just quit using the “it’s hard” excuse because unless you figure this out, the rest of what you’re doing in security is running on a hamster wheel.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.