An employee skims his email box.
In his junk mail folder is a subject line that seems out of place. The title says “2011 Recruitment Plan.”
He opens the attached Excel file. It doesn’t seem interesting, so he closes it and goes on his way.
This is how the RSA breach of 2011 happened, arguably one of the most impactful compromises of crown jewels data the world had seen at that point. Because the breach reportedly involved IP critical to the effectiveness of RSA’s SecureID tokens, the company was forced to replace more than 40 million tokens. In the meantime, their customers were left vulnerable to attackers that could exploit multi-factor authentication systems that had been stripped of their effectiveness. Simply put, hackers stole from RSA the secret sauce that their flagship SecurID product depended on.
Fast forward to 2017 and breaches are only causing more damage. All sorts of data are in the wind, including transaction data, personal identity information, health records, even confidential business plans. These security incidents have taught us an important lesson: Breach prevention is a myth. The rise of new techniques such as ransomware demonstrate that attackers have the upper hand and organizations are left to be reactive.
The reaction for most organizations is to redouble efforts, increase spending, double down on IT audits and control frameworks. Fearful executives make reactive moves, buy “miracle cure” software packages, or delegate responsibilities for security to anyone that will take them. It’s not that these moves won’t help secure an enterprise, because they may. But this approach is not an efficient way to build sustainable security at an organization.
Compliance and control frameworks are great in concept. Check these boxes and you are free from worry or risk. Except it’s never been that simple. Compliance doesn’t ensure breach prevention. It doesn’t ensure detection, or response, and it certainly doesn’t reduce the impact of a breach by itself. The only thing compliance guarantees is compliance.
Most traditional control or compliance audits pay only cursory attention to data. Sometimes organizations are forced into a data mapping exercise to demonstrate compliance with a directive like GDPR. But at the end of the day, if you can’t answer the important questions about your crown jewels data, your efforts go toward a losing cause. By taking a crown-jewels-first approach, identification informs security strategy, not the other way around. Preventing the breach is no longer the objective – instead, you reduce the possible impact of a breach so it becomes a non-event. If you are using audits to measure compliance, you should carefully consider shifting some budget to a crown jewels assessment, so your security program can get right-sized and center on the data that matters.
But certainly, executive management can demonstrate leadership by keeping a close inventory of crown jewels data and showing the Board how they are being protected. When a Board can see that all critical data has been accounted for and protected, and that progress is being made on plan, trust is built. The value of trust when it comes time to discuss investments in security is the difference between success and failure.
At Focal Point, crown jewels have always been a point of emphasis. To that end, we have created a special assessment that will scour an organization for crown jewels data and assess the security posture around those assets. If requested, we can also perform a threat assessment to help design an optimal use of security resources to minimize risk. In many cases, these assessments will uncover wasteful security spending that does little to minimize real-world risk, freeing up resources to provide better protections to crown jewels (and cover the cost of the assessment itself).
As a security leader, going with a crown jewels assessment over a traditional IT audit will give you a leg up with leadership.
Focal Point has experts standing by to discuss how to get started focusing on your crown jewels.