Business-savvy CISOs focusing on their crown jewels as COVID-19 squeezes budgets
The COVID-19 pandemic has shattered several businesses, and those companies left afloat were plunged into uncharted waters. Several cybersecurity teams (already under tremendous pressure before the pandemic) are feeling the heat. Cybersecurity budgets are dwindling as executives are left with no option but radically cut down costs.
While it's easy to play the victim and lean back, leading Chief Information Security Officers (CISOs) are taking this opportunity to rethink their priorities and beef up defenses around their most valuable digital assets. As I wrote in my bestselling book, The Five Anchors of Cyber Resilience, crown jewels represent the most critical information assets, which, if compromised, can severely undermine the enterprise’s bottom line, competitive advantage, and reputation, or even threaten its survival.
Why does this even matter?
There is always a temptation to mark every digital asset as a crown jewel, but that is a great miscalculation. As several high-profile data breaches have proved, bigger cybersecurity budgets don't necessarily translate to greater business resilience. Unfortunately, we see this constant mistake across many industries: cybersecurity teams attempt to spread themselves thinly across the entire digital ecosystem, like vegemite on a toast.
To be highly effective, however, CISOs must prioritize ruthlessly. Repivoting your cyber resilience strategy towards your crown jewels offers three distinct advantages:
- This is risk management 101. By disproportionately allocating limited budget toward systems of highest risk and products customers most value, the CISO will naturally align the cyber strategy with critical business priorities.
- It significantly boosts cyber resilience without exerting additional pressure on cybersecurity teams. On the contract, attempting to apply the same protection levels across every asset sucks morale and leads to constant fatigue and costly mistakes.
- No enterprise has an unlimited security budget. One-size-fits-all wastes shareholder’s resources and diffuses the effectiveness of cybersecurity controls, leaving critical assets exposed to excessive levels of cyber risk. By focusing on what matters, business-savvy CISOs can accelerate cyber resilience and significantly lower security costs.
What can you do to get this right?
Here are some key recommendations:
- The process of identifying crown jewels can be protracted, depending on the size and complexity of the enterprise. A prudent strategy is to start with your intellectual property assets—those digital assets that underpin your competitive advantage. These include, for example, inventions, board deliberations, trade secrets, proprietary formulas and processes, prototypes and blueprints, technical designs, advanced research, confidential documents, manufacturing plans, software code, and corporate and pricing strategies.
- Cyber resilience is a business matter, not just a technology issue. An effective crown jewel assessment, therefore, requires the active engagement of key business stakeholders. This promotes transparency into cyber resilience spend, reinforcing business buy-in and support.
- Consider critical information technology infrastructure that supports your mission-critical systems. Critical infrastructure, such as domain name service servers, authentication systems, cloud services console, and perimeter firewalls often present single points of catastrophic failure but are often overlooked during crown jewel assessment.
- Institutionalize crown jewel assessment into the systems development life cycle and ensure non-negotiable controls are built into new high-value digital assets from the outset.
- Many enterprises make crown jewel assessment a once-off exercise. Such a tick-box approach is short-sighted and ineffective. The revalidation of crown jewels should not be a once-off exercise but should continuously adapt to changing data protection laws, business priorities, and threat landscape. We recommend a formal assessment at least every six months.
When done right, crown jewel-centered cyber strategies can help organizations survive increasingly sophisticated cyber threats when businesses are gripped with uncertainty, and cybersecurity budgets keep on shrinking.
We discussed these recommendations and action plans in detail. Download for free our CISO Playbook: Protecting the Crown Jewels today.