Security Experts:

The Most Important Security Question No One Seems to be Able to Answer

Let me ask you a very simple question.

What is your organization’s sensitive data, and where is it?” 

You can’t shrug this two-part question off, although many security leaders have been doing just that for the last 10 years or more. While we can all agree that fundamentally security can’t succeed without knowing what we’re protecting, there are next to no good answers for how to do this. There is, however, no lack of excuses for why organizations don’t have these answers. So, let me talk this through. 

There should be no debate about the necessity of knowing the answer to these two critical questions on which all actual security is based. Come to think of it, it’s not just security. How does an organization conduct business without knowing what is critical and where that “something” is? Simple, it can’t. Are servers critical? Workstations? Badge readers? Filing cabinets? Or rather is it the things stored inside or the processes conducted by these things that matters?

Where is Your Sensitive Data?The answer varies from company to company, enterprise to enterprise, but one thing is certain– there are specific answers for your organization. Without those answers security has no choice but to treat every asset, from spreadsheet to paper file, as equally critical. This makes no sense, but when you don’t know any better, this is what you are stuck with. If this feels oddly familiar, it should. This is the way most of us do security today. 

This begs the question, why hasn’t anyone found a better way? The answer is unfortunately much the same for many of security’s biggest problems – it’s hard. It’s much simpler to address symptoms ad infinitum than it is to attempt a resolution at the root cause.

To be frank, to say this is a hard problem is a serious understatement. For many companies the answers to these questions are monumental, and seemingly impossible to answer. Imagine you’re a large international company with locations around the globe, remote employees consuming local and cloud services while working with corporate data on their mobile devices, thousands of servers, workstations and other components all over the place. Your organization is dynamic and regularly acquires and divests certain entities as the business climate changes. Now tell me, what and where are your critical assets and processes?

Easier said than done, right? But just because it’s absolutely difficult doesn’t mean we shouldn’t be trying like mad to answer these questions. Working towards these goals should be an organizational goal, not just that of security. Security should be a supporting function to the business, but if the security organization doesn’t have baseline knowledge of what they should be protecting – the cause is lost.

Good tools can help an effort like this. Bad tools can hinder. But in this case we seem to be working with a lack of tools. I can think of maybe one of two tools available in the market today that are built specifically to address this problem. Others like data loss prevention (DLP) tools are used because we’ve discovered that their side effect helps in identifying data. But, the issue is there is a distinct lack of tools. This doesn’t help the cause.

If you were expecting me to offer up some simple and elegant solution for you – I don’t have one. What I can offer up is a lot of hard work, necessity for cooperation across business and IT, and what will feel like a never-ending project. The result, however, is a way to do security with purpose. 

Don’t get discouraged if the effort feels like more than you can do on your own. It will be. You’ll need to enlist support and hands from across the enterprise. You’ll want to set attainable goals and focus on critical parts of the organization first. Set a strategy. Build yourself a concentric ring model, and start at the most important parts and work your way out. Just quit using the “it’s hard” excuse because unless you figure this out, the rest of what you’re doing in security is running on a hamster wheel.

view counter
Rafal Los is an industry innovator, strategist, and personality. Currently Rafal is the Vice President of Security Strategy at Lightstream Managed Services where he is responsible for strategy and design of the security practice. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Rafal's strengths include strategic leadership, developing and refining market strategies, business process optimization, and bringing people together to solve complex problems. Most recent achievements include assisting a company in its pivot from infrastructure provider to security-as-a-service by developing a pre-sales strategy and developing a professional services framework; implementing significant changes in business process that led to the company's ability to measure the impacts of various efforts on the sales cycle. Follow Rafal on Twitter: @Wh1t3rabbit.