The security and business sides of an organization need to work together to protect the "crown jewels" – that is, the assets representing the highest value of the organization.
Discussing the inspiration for an article he wrote for Todd Fitzgerald's CISO Compass, Information Security Forum Chief Executive Steve Durbin pointed to concerns from ISF members about the level of protection they were able to provide for mission-critical assets.
“Coupled with the level of frustration from information security in particular, business leaders were not fully aware of some of the challenges that the security organization was facing in trying to protect some of these assets,” said Durbin during an episode of the CISO Stories podcast.
To lock down those assets, security and the business teams need to ask a number of questions about the value of certain information, Durbin explained: Would you be able to function effectively without it? What would be the effect if it fell into the wrong hands? What would be the effect if you could no longer access it?
“Identifying the mission critical asset from the start is challenging enough because you really have to go through this process of identification – discovering the particular mission-critical assets, assessing the business value of those assets, determining what we call at the ISF your ‘business impact rating’ for some of those assets," Durbin said. "So you have to rank them; and then specifying identify what those assets are — what they look like — getting agreement across the organization.”
Formerly at Ernst & Young, as well as a prior senior vice president at Gartner, Durbin has been involved with IPOs, mergers and acquisitions of fast-growth companies across Europe and the U.S.