- CISO Series Newsletter
- Posts
- 05-07-20 - My Assets? Who Knows. Just Protect All Of It.
05-07-20 - My Assets? Who Knows. Just Protect All Of It.
My Assets? Who Knows. Just Protect All Of It.
This week's episode of Defense in Depth
Asset Valuation
On this episode of Defense in Depth:
Co-host Allan Alford and guest is Bobby Ford, global CISO, Unilever, discussed:
Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset.
It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets.
A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site.
The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often.
Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended.
You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery.
While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".
Thanks to this week's sponsor of Defense in Depth, CyberArk.
At
, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.
Upcoming Video Chats
Tomorrow [5-8-20] Hacking the Speed of GRC
Join us for "Hacking the Speed of GRC: An hour of critical thinking of how we can improve the governance, risk, and compliance process".
Friday, 5-8-20 at 10 AM Pacific/1 PM EasternREGISTER
Next Friday [5-15-20] Hacking the Speed of GRC
Join us for “Hacking the Visibility of the Cloud: An hour of critical thinking about what we can see and what we’d like to see in the cloud”.
It’s happening on Friday, May 15th, 2020 at 10 AM Pacific/1 PM Eastern.
Best Moments from "Hacking the Security Stack"
Highlights from “Hacking the Security Stack” Video Chat. To watch the full video go here.
I moderated a discussion on Friday, 05-01-20 with Gary Harbison, vp, global CISO, Bayer and Jason Clark, chief strategy and marketing officer, Netskope.
This was phenomenal and far more that I expected. We have 15 bad ideas and unfortunately we didn't have time to discuss them all. Six of those bad ideas were Dutch Schwartz's, who was our two-time winner from the last two weeks.But, I'm awarding this week's bad idea to Rick Woodward of Dominion Energy. His idea was to "Design your security stack using machine learning to virtually create, hack, tweak, and design your security stack."
Thanks to our video chat sponsor, Netskope.
SUBSCRIBE TO BOTH PODCASTS
Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.
If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.