Rapid Risk Reduction
Believing that you have to protect EVERYTHING is a traditional approach to cyber security. Striving to secure all data across your organization to the highest level is not how you do effective security. Instead, a better objective is to have the ability to identify what your critical, high-value data assets are and then put the right security controls around them. If you try to protect your Miley Cyrus DVD’s to the same level that you protect your corporate crown jewels, you are not doing your security properly — you are doing your organization a disservice. You’re not in the business of throwing away your hard-earned money on things like inefficient cyber security focused in the wrong areas. When you are allocating even an extremely modest cyber security budget, spend your money on the quick security wins that protect your most important information that is the most vulnerable to a data breach. This is the information that must, under no circumstances, leak outside of your company walls.
As an organization, you hold the sensitive, private data of your clients, customers, shareholders, employees and 3rd party suppliers. The Protected Health Information, Personally Identifiable Information and Payment Card Industry data are common categories of valuable and sensitive information in your care, custody and control. You might have shareholder data, social security numbers, financial Information belonging to clients and/or proprietary data assets such as business plans & strategies, M&A data, trade secrets and sensitive legal communications.
The process we recommend to every organization includes the following action items:
1. Determine what your data is worth to you and create an inventory of the most valuable, intangible assets in the organization
2. Create a comprehensive list of risks to your valuable, sensitive data prioritized in terms of both likelihood and severity of risk consequences
3. Define your level of acceptable cyber risk; your risk appetite
4. Put prevention, detection and mitigation controls in place around your most valuable and most vulnerable assets
5. Test your controls for effectiveness
6. Regularly monitor and review your cyber risk management program
In going through this process, you are helping to define your organization’s overall risk appetite. Once you have treated the risks to your highest priority data assets (Steps 4 & 5), you are left with your residual risk. If this level of risk matches your current risk tolerance level — your level of acceptable risk — then you have achieved your target level of cyber security for this point in time. It comes down to being able to assess data and its value to the business, assess the risk level to that data and then assign the appropriate risk controls around that data.
On the Cyber SC homepage, we state: “We exist to help you build protection around all the critical points in your organization so that your business can grow while your operation runs smoothly and securely.” By critical points, we specifically mean where your most valuable and sensitive data is located in your networks. Before we ever dream of making any recommendations to our clients, we make sure their understanding of what their most sensitive information is and what their risks are, is crystal clear. The most cost-effective approach to cyber security is the 80/20 approach: Focus 80% of your resources and attention on your top 20% most valuable information and setup effective security controls around those data assets. This pragmatic process of cyber risk prioritization sets up our clients for quick cyber security wins — what we refer to as Rapid Risk Reduction. You can’t possibly protect everything, but you can focus on protecting what is most important.