Let me ask you a very simple question.
“What is your organization’s sensitive data, and where is it?”
You can’t shrug this two-part question off, although many security leaders have been doing just that for the last 10 years or more. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. So, let me talk this through.
There should be no debate about the necessity of knowing the answer to these two critical questions on which all actual security is based. Come to think of it, it’s not just security. How does an organization conduct business without knowing what is critical and where that “something” is? Simple, it can’t. Are servers critical? Workstations? Badge readers? Filing cabinets? Or rather is it the things stored inside or the processes conducted by these things that matters?
The answer varies from company to company, enterprise to enterprise, but one thing is certain– there are specific answers for your organization. Without those answers security has no choice but to treat every asset, from spreadsheet to paper file, as equally critical. This makes no sense, but when you don’t know any better, this is what you are stuck with. If this feels oddly familiar, it should. This is the way most of us do security today.
This begs the question, why hasn’t anyone found a better way? The answer is unfortunately much the same for many of security’s biggest problems – it’s hard. It’s much simpler to address symptoms ad infinitum than it is to attempt a resolution at the root cause.
To be frank, to say this is a hard problem is a serious understatement. For many companies the answers to these questions are monumental, and seemingly impossible to answer. Imagine you’re a large international company with locations around the globe, remote employees consuming local and cloud services while working with corporate data on their mobile devices, thousands of servers, workstations and other components all over the place. Your organization is dynamic and regularly acquires and divests certain entities as the business climate changes. Now tell me, what and where are your critical assets and processes?
Easier said than done, right? But just because it’s absolutely difficult doesn’t mean we shouldn’t be trying like mad to answer these questions. Working towards these goals should be an organizational goal, not just that of security. Security should be a supporting function to the business, but if the security organization doesn’t have baseline knowledge of what they should be protecting – the cause is lost.
Good tools can help an effort like this. Bad tools can hinder. But in this case we seem to be working with a lack of tools. I can think of maybe one of two tools available in the market today that are built specifically to address this problem. Others like data loss prevention (DLP) tools are used because we’ve discovered that their side effect helps in identifying data. But, the issue is there is a distinct lack of tools. This doesn’t help the cause.
If you were expecting me to offer up some simple and elegant solution for you – I don’t have one. What I can offer up is a lot of hard work, necessity for cooperation across business and IT, and what will feel like a never-ending project. The result, however, is a way to do security with purpose.
Don’t get discouraged if the effort feels like more than you can do on your own. It will be. You’ll need to enlist support and hands from across the enterprise. You’ll want to set attainable goals and focus on critical parts of the organization first. Set a strategy. Build yourself a concentric ring model, and start at the most important parts and work your way out. Just quit using the “it’s hard” excuse because unless you figure this out, the rest of what you’re doing in security is running on a hamster wheel.