In Why Should TMG and cyberCTRL Manage Your Cybersecurity?, I described how my thinking about cybersecurity had evolved over the years, resulting in the development of the first “cybersecurity as a service” platform: cyberCTRL. Next, I walked you through some basic steps to think through the true mission and culture of your business. Now, in this and the following posts, I’m going to walk you through some of the basics of cybersecurity programs.
First question: why are we putting ourselves through all this misery? What’s it all for? You know the answer to that one: to protect your business. But in order to do that effectively, you need to understand what specifically you are protecting.
Yes, that’s right, it’s time to talk about assets.
For our purposes, an asset is anything of value to your business. Ask yourself: what exactly are the “things of value” in your world? Always remember the basic rule: if something is valuable to you, it is valuable to someone else, and it will need appropriate care and protection.
Of course, all things in context, and our context is cybersecurity. It may well be true that your most valuable asset is a physical product—always worth considering and protecting. But in our case, we need to look at that physical asset from a cybersecurity perspective.
Let’s think about a company that produces high-end analog watches, which cost $150,000 each. The company lives or dies based on the sales of this very expensive analog item, so in that sense the watch is the firm’s most important asset. From a cybersecurity perspective, however, it is not the watch itself that is the asset, but rather, all the data relating to the watch—its design, manufacturing plans, marketing strategy, and so on. If the design is stolen, then someone can replicate the exact watch and flood the market with knockoffs, causing enormous damage to the company.
What about privacy? Does this physical asset carry any privacy risk? Well, the watch itself does not store, process, or disseminate any personal identifiable information. It is just an (expensive) analog watch. It doesn’t know your name, your ID, your blood type, or your age. It doesn’t know anything except the time. But that’s not where the story ends.
We know that the watch is the end product of a long and complex manufacturing process, the result of years of intellectual labor, and sold to a discriminating clientele secured through intricate marketing and proprietary lead lists, forged into extremely valuable relationships for the firm. Are there privacy risks associated with any of this? You bet!
So what are your assets of value? The category must include your company’s personally identifiable information (PII) data and any protected health information (PHI) data, along with all the supporting (curating and controlling) systems, processes, workflows, and people. There is no distinction with regard to whose data that may be—in other words, employee PII must be treated with the same reverence as customer PII.
Other examples of “assets of value” include all intellectual property (designs, product information, research, etc.), strategic plans, financial plans, merger and acquisition plans, and tactics. If in doubt whether a cyber asset is of value, ask a few simple questions:
- What happens if the associated asset PII is exposed, corrupted, or exfiltrated?
- What happens if this asset is destroyed or corrupted?
- What happens if it becomes public? Or falls into the wrong hands?
If the answer is “nothing,” scratch your head as to why you are maintaining worthless assets, and move on. If, on the other hand, you discover that all sorts of things happen if the assets are exposed, corrupted, become unavailable, or are destroyed, then you need to start cataloging!
How exactly do you go about doing this? You undergo an asset classification and valuation. This is a fairly existential exercise! You will need to understand and document the true essence of your company.
A good first step will be to get a grip on the total universe of our assets. What is included in our definition? Assets would typically fall into one of the following categories: data, hardware, software, systems, processes, and workflows.
Data: It is important to differentiate between information and data. Frequently, people use the terms interchangeably, and that’s okay for everyday use, but we should be clear on the distinction because the implications can be significant. Data is information that has been captured, stored, and represented in some medium. Data is often an expression of information, but that doesn’t mean that data is a complete representation of that piece of information.
Consider a pot of boiling water. I have a sensor in the pot that measures the temperature of the water and transmits it, which is stored in my system in a field called “water temperature.” That’s data! But there’s a lot beyond that number that we could notice about the actual physical event of boiling water: the magic of phase transition from liquid to gas; the beauty of the rising bubbles; the mathematics of turbulence of the water’s surface, and so on. That’s all information about the boiling water, but it’s not data.
Personally identifiable information and the corresponding privacy meta- data lives and dies in this gray world between information and data. It is our job to understand it and capture it because it is the most critical asset in our valuation. It is also the primary determinant of the asset’s value.
Hardware: Hardware is all the electronic equipment that stores, processes, or transmits data. It’s also the stuff that controls other stuff, such as thermostats, and all the fun gizmos that make the Internet of Things possible. Why did I limit myself to “electronic” just now? Okay, you got me! Computer hardware can also be mechanical or even quantum. But unless you’re Charles Babbage building the Difference Engine out of wood, or you work at an advanced computing facility, electronic hardware is the only kind you need to worry about.
Software: Software is the applications—from operating systems to apps—that use hard- ware to get things done. This includes, of course, software that runs in the Internet of Things (IoT), such as an Internet-connected refrigerator in the breakroom.
Systems: A system is a collection of hardware, software, and networks that processes data. Systems can be internal or external, and they are frequently a combination of both.
Processes and Workflows: These are the sequence of steps involved in the creation, transformation, processing, storing, and transmitting of data across systems. Processes and workflows are assets that contribute value to the company, and as such, are worthy of careful consideration and protection. How exactly do you protect processes and workflows? It depends. The first step, no matter what, is knowing about them—that is, documenting and cataloging them. This step will reveal any dependencies on systems that these processes and workflows may have. Your thinking about protection starts there, and it cuts both ways: How does the process affect the system and how does the system affect the process? We’ll look at this closer when we discuss controls. For now, keep this in the back of your mind and think about concepts like business continuity and disaster recovery.
The list above constitutes your universe of assets. But once you’ve identified the contents of that universe, where do you start with a risk assessment?
First, identify your business managers. Each one will typically be responsible for a line of business or a department. Sit down with each one and ask him or her to identify all the things that are absolutely necessary to do their jobs. The list is likely to include multiple assets, both hard (computers, facilities, etc.) and soft (software, work- flows, etc.). You should work with each manager in ranking and prioritizing each asset. At the end of these meetings, you will have a very clear idea of each department’s assets, and the corresponding effect of each asset’s loss.
If you want to get formal about this, you can ask for a department-by- department business impact analysis, and from the results, you can derive both the assets and the business impact of their loss or disruption. But what fun is that? Make it personal and get in there! Roll up your sleeves and work with your colleagues in getting all this done. You’ll certainly gain a better under- standing of what’s going on with the business and make a whole bunch of new friends. (Or enemies, if they don’t want to be bothered … But hey! You’re the one trying to cover their assets! They’ll see the light eventually.)
Okay, you’re almost done. You’ve made tremendous progress in improving your understanding of your own organization—in fact, you’ve done more than most employees, or even some managers, ever do.
In The Calls are Coming from Inside the House: Threats, Part I, I’ll talk about the dark side of all this knowledge you’ve acquired. Because now that you thoroughly understand your assets, you need to start thinking about who might be coming for them. Actually, it’s better to say who will be coming from them. Remember what we said at the top of this post: if you view something as valuable, inevitably someone else will, too. So please join me for an investigation of threats.