Information security sometimes feels like a never ending challenge. There are a thousand different things that need to be done from patching systems to educating employees and any one hole can mean big problems. Smart companies have realized the impossibility of securing every asset and have changed the theatre of the information security battlefield.
Effective information security management is no longer about trying to stop every little problem that can go wrong that is an impossible task with failure guaranteed. Leading businesses are now focused on securing the intellectual property and operations that are most critical to their competitive advantage. This new approach is more advanced than previous information security approaches that attempted to throw information security controls against the wall in hopes that enough stuck to keep bad things from happening.
What are the advantages to approaching information security based on a critical asset protection model?
- Helps focus your information security investment towards protecting the most important assets that matter.
- Makes information security more manageable and makes realistic assumptions vs. assuming you can protect everything.
- Allows you to be more specific about your information security objectives vs. operating in a more abstract manner.
- Increases security oversight over important assets/business processes and enables customized monitoring specific to those resources
What are the challenges in implementing a risk based critical asset information security model?
- Initially many organizations will struggle with answering the question about which assets are truly critical.
- Requires a more collaborative model of information security with deeper level of engagement needed with key business partners. Many information security organization struggle with understanding which assets are truly critical because there is an insufficient understanding of how the business really works.
- Requires a change in mindset from trying to secure the perimeter and keep the bad guys out to assuming they are already inside and layering your controls to focus efforts on protecting critical assets. This is not to say that firewalls and other perimeter based control mechanisms are obsolete only that they have proven ineffective as the primary mechanism of protecting an organizations critical intellectual property.
- New security tools will be needed to help protect down to the data layer and assist in blocking advanced threats.
If your information security organization is still operating with a secure the perimeter mentality as your primary focus you risk becoming obsolete. More is expected of an information security organization in our knowledge based economy. You are expected to understand the business at a sufficient level to know what intellectual property and business processes are critical to ongoing success of your company. This requires deeper business knowledge and business relationships to help validate that you are focusing on the right things.