Organization Is The Main Prerequisite For Security
I've always said that security starts with organization. What does that really mean for your organization (no pun intended)? The idea is that you cannot secure what you do not know exists. And what level of protection do these assets really need.
Security is often thought of as a layered approach, sometimes more accurately referred to as "defense in depth". This is partly because layers are more effective than a single line of defense. Another, possibly more important reason is that different objects, systems, and data require different levels of security.
Let's compare this to an airplane. Planes have many systems onboard, all designed to keep the plane in the air. But if it does crash, there is a black box, essentially a log collector of the last minutes of the flight. The comedian Steven Wright famously said "why don't they just make the whole plane out of that black box stuff?" While that certainly sounds great, it is not realistic. Similarly, in cyber security, you have to design the network to prioritize the most important data first and know that it is not possible to win all the battles.
This brings us to classification of assets and data. In order to determine the level of protection needed you first need to determine the value of each asset. Just as you would not keep your kitchen appliances in your home safe, there is no need to pay for, implement, maintain, and most importantly torture your users hopping through security for things that do not need to be secure. Immutable public data is one category that really doesn't need much security. For example if you have a sales brochure, making your sales force authenticate themselves to access that brochure is waste of everyone's time and likely will just alienate the security team from the rest of the company, in the long term weakening your Secuirty posture as a result. The easier and more cost effective approach is to make that resource available publicly via your website so the sales team can access it as needed.
By contrast, the most important data you own or are responsible for may be client records, personnel records, financial information, and intellectual property. This will vary from business to business and the best people to make that determination are not your IT or IT Secuirty folks, but the heads of the respective business units.
Think of the IT folks like the car salesman at the dealership. Before you buy a car you have some expectations. Maybe you need a commuter car to get to work, then a compact car could get the job done. Perhaps you need to drive 5 kids to sporting events weekly, then you likely need a minivan or SUV. Or maybe you need to tow your 3 ton mobile home on cross-country road trips, then perhaps you need a pickup truck. While you could try to commute in the pickup truck your weekly gas bill would not be optimized for your usage. Similarly, you could try to tow in the compact car, but it would not be safe and the vehicle would age much faster than anticipated.
It is just like that with data and asset protection. The two most common approaches for protecting data are 2FA and Encryption. But there are dozens of subtypes of 2FA and just as many different flavors of encryption.
Organizing and classifying your data based on the required protection level allows your IT Secuirty team to prioritize the security budget to get you the most bang for your buck while also meeting your main business objectives.
Sure, we would all like to live in a world where all business assets are safe from all threats; but until that is realistic, your best bet is to utilize defense in depth in conjunction with asset classification to achieve the most effective risk management strategy for your business.
Security is often thought of as a layered approach, sometimes more accurately referred to as "defense in depth". This is partly because layers are more effective than a single line of defense. Another, possibly more important reason is that different objects, systems, and data require different levels of security.
Let's compare this to an airplane. Planes have many systems onboard, all designed to keep the plane in the air. But if it does crash, there is a black box, essentially a log collector of the last minutes of the flight. The comedian Steven Wright famously said "why don't they just make the whole plane out of that black box stuff?" While that certainly sounds great, it is not realistic. Similarly, in cyber security, you have to design the network to prioritize the most important data first and know that it is not possible to win all the battles.
This brings us to classification of assets and data. In order to determine the level of protection needed you first need to determine the value of each asset. Just as you would not keep your kitchen appliances in your home safe, there is no need to pay for, implement, maintain, and most importantly torture your users hopping through security for things that do not need to be secure. Immutable public data is one category that really doesn't need much security. For example if you have a sales brochure, making your sales force authenticate themselves to access that brochure is waste of everyone's time and likely will just alienate the security team from the rest of the company, in the long term weakening your Secuirty posture as a result. The easier and more cost effective approach is to make that resource available publicly via your website so the sales team can access it as needed.
By contrast, the most important data you own or are responsible for may be client records, personnel records, financial information, and intellectual property. This will vary from business to business and the best people to make that determination are not your IT or IT Secuirty folks, but the heads of the respective business units.
Think of the IT folks like the car salesman at the dealership. Before you buy a car you have some expectations. Maybe you need a commuter car to get to work, then a compact car could get the job done. Perhaps you need to drive 5 kids to sporting events weekly, then you likely need a minivan or SUV. Or maybe you need to tow your 3 ton mobile home on cross-country road trips, then perhaps you need a pickup truck. While you could try to commute in the pickup truck your weekly gas bill would not be optimized for your usage. Similarly, you could try to tow in the compact car, but it would not be safe and the vehicle would age much faster than anticipated.
It is just like that with data and asset protection. The two most common approaches for protecting data are 2FA and Encryption. But there are dozens of subtypes of 2FA and just as many different flavors of encryption.
Organizing and classifying your data based on the required protection level allows your IT Secuirty team to prioritize the security budget to get you the most bang for your buck while also meeting your main business objectives.
Sure, we would all like to live in a world where all business assets are safe from all threats; but until that is realistic, your best bet is to utilize defense in depth in conjunction with asset classification to achieve the most effective risk management strategy for your business.
