In the previous posts we looked at why we need a cybersecurity strategy and what the scope of this strategy should be. Answering this question brings us automatically to the next, which is:
What should we protect?
This can be answered relatively easily by identifying your assets within the scope of your cybersecurity strategy. What has value to you, and your stakeholders, within this scope?
To identify these assets, just follow the steps laid out in most ISMS implementations – there is no real difference between an ISMS or your cybersecurity strategy here. The easiest assets to start with are, obviously, all your tangible assets like computer systems, network equipment, licenses, credentials for accessing your cloud provider and many more.
Things get more interesting when you have to identify your intangible assets. To begin with, you should cast the net as wide as possible and then eliminate any non-essential assets from that haul. You will probably find assets like software, reputation and maybe even search engine rankings and industry scores in this list.
But look a little beyond these obvious ones. Most (smaller) companies I know that provide specialized services often have a SPOK (Single Point of Knowledge). This is the person who knows everything about the software or process that is at the core of their business. The SPOK is often one of the first people to start working for the company and as the company grows, so does their involvement and therefore their ‘SPOKness’. Making sure that knowledge and expertise is shared within the company is both better for the company (‘what if the SPOK falls ill?”), and better for the SPOK as well (‘I really could do with a holiday’).
The second area of interest comes into play when you are part of a supply or value chain. You may be ‘just’ a small step in the whole chain, but your organisation handles valuable assets nonetheless. And although these assets are not technically yours, you still need to protect them while you are handling them. You may need to store them, or add some value to them, but in all cases you must be sure that they are properly protected and their confidentiality, integrity and availability can be guaranteed.
To be able to identify how critical an asset is, you should always ask yourself the ‘what if’ questions: ‘What if the asset is no longer available?’, ‘What if I can no longer rely on the
integrity of my asset?’ and ‘What if my asset has been disclosed without my consent?’. If your business is seriously impacted when answering one or more of these questions, you have probably found a critical asset (tangible or intangible) and you need to take measures to protect it.
This brings us to the conclusion of this post, and makes a nice bridge to the next one. In the next post we will look at what we are protecting our assets from. What are threats, vulnerabilities, impacts and risks?
Until next time, as always, stay safe!