You're probably familiar with the term "critical assets".
These are the technology assets within your company's IT infrastructure that are essential to the functioning of your organization. If anything happens to these assets, such as application servers, databases, or privileged identities, the ramifications to your security posture can be severe.
But is every technology asset considered a critical asset?
Moreover, is every technology asset considered a business-critical asset?
How much do we really know about the risks to our business-critical assets?
Business-critical assets are the underlying technology assets of your business in general – and we all know that technology is just one of the 3 essential pillars needed for a successful business operation. In order to have complete cybersecurity governance, organizations should consider: 1) Technology, 2) Business processes, and 3) Key People. When these 3 pillars come together, organizations can begin to understand their business-critical assets – or the ones that are essential to the successful operation of your business.
The Importance of Focusing on Business-Critical Assets
Today, everyone knows it's not possible to fix everything.
There are simply too many issues that are in need of remediation - from CVEs to misconfigurations, to overly permissive identities, and so much more. In this situation, organizations are left unable to answer the question of "where should we focus our efforts first?" And without a clear path to fix what matters most first, a lot of organizations take what I call a "cyber security spray 'n pray approach" – without knowing what really matters, or what is the real business impact. They try to fix it all, leading to wasted time, effort, and resources. (If you want to learn more about the sheer impossibility of fixing everything, we suggest reading our recent report, The State of Exposure Management 2024 – looking at 40 million exposures, it highlights how managing exposures is more complex than ever.)
Download the report to discover:
- Key findings on the types of exposures putting organizations at greatest risk of breach.
- The state of attack paths between on-prem and cloud networks.
- Top attack techniques seen in 2023.
- How to focus on what matters most, and remediate high-impact exposure risks to your critical assets.
Luckily, Gartner has recently published a new framework, the continuous threat exposure management, or CTEM, framework that can help us see where and how to prioritize our efforts with the following statement: "CISOs must consider the following: What are the most critical and exposed IT systems ... in relation to business processes." Read more about it in Gartner's 2024 Strategic Roadmap for Managing Threat Exposure, by Pete Shoard) This is why it's essential to focus on business-impacting issues. It helps organizations become more effective and efficient, ensuring better usage of resources and efforts.
Another huge advantage, which may be even more important than the previous benefit? It ensures that security folks are aligned with the issues that concern the most for your company's senior leadership. This leads to better communication and alignment with your business objectives, helping demonstrate that cyber security is about far more than protecting the organization's digital footprint and instead is a true business enabler. It ensures that you cover and protect the technology assets that underlie your most important business processes and guarantees continuous risk reduction with strong ROI, related to your business-critical assets. To learn more about how to effectively communicate about risk with your board and CEO, check out our ebook, Reporting Risk to the Board, here.
Download the guide to discover:
- The key things to convey when reporting: What can be compromised today?
- What is the likelihood of that occurring, the potential impact and operational risk involved?
- Top attack techniques seen in 2023.
- How XM Cyber provides an unmatched tool for helping you report by crystallizing causality and answering all key questions about organizational critical asset risk.
How to Protect Business Critical Assets
There are 4 key steps when it comes to protecting your business-critical assets:
Step 1: Identifying Business Processes
While it's very nice to talk about focusing on business-critical assets, how do you actually know what's business-critical and what's not?
Identifying the most important business processes might be challenging if your company has not performed a proper business risk assessment. Having such reports from your risk management team should be very helpful for you to understand your most important business drivers and therefore your greatest areas for risk to start with.
Let's say you haven't performed a risk assessment in a while, or ever. A) it's not a bad idea to do so, and B) another option which is always a good start, is to use the "follow the money" approach:
- How the company makes revenues (inbound money flow), for example: from selling products, services etc.
- How the company spends money (outbound money flow), for example: spending on operational costs, marketing etc.
Option B will serve you well as an initial discovery of the business processes, along with their related underlying technologies.
Step 2: Map from Business Processes to Technology Assets
Now that you have a better view of the most important business processes, you can start mapping each process to the underlying technology assets, including application servers, databases, secure file storages, privileged identities, etc. These will be your business-critical assets!
Note, it's a good idea to consider your file storages that hold the most sensitive data as business-critical assets. Once you have accounted for all of these specific assets, you can begin to truly understand what impacts your business's bottom line the most.
If you are using a solution like XM Cyber, you will automatically get a report of your Technology Assets for both your on-prem and your cloud environments. Otherwise, this might be achieved with CMDB-assets management tools, ITSM solutions, your SIEM solution, or hopefully it is documented somewhere on plain old Excel spreadsheets.
Step 3: Prioritization
As mentioned, it's not possible to fix everything, which means we always have to prioritize anything that we plan to do in order to secure our business. Even if we would have a complete list of all our crown jewels in hand, still we should always ask "what are the top 3-5 business areas or processes that are the most important?". This is another case where you should work closely with the risk management team and collect such information.
In addition, another major input would be from the company's key stakeholders. In the words of Gartner "Building scopes that align with the priorities of the senior leadership is critical to success." So it's very important to know what the C-Level and Board are considering as P1-"Game over", what is a P2-High impact, and what they consider P3-Low impact.
Step 4: Implementing security measures
Great! At this point you have a decent knowledge of your company's top business-critical assets - well done! And now it's time to mobilize your security teams towards securing them. This involves collecting the relevant security findings and generating remediation activities. But since it's impossible to fix everything, where should you begin with and invest most of your efforts?
Usually, you can begin by collecting the relevant outputs from either your Vulnerability Management solution or even recent Pen-test results. It can serve as valuable information about risks within your IT infrastructure and will generate another list of remediation activities that you now need to prioritize, which still might be a huge effort.
If you're using a solution like XM Cyber, you will benefit from the Scenario framework.
Each Scenario runs continuous attack simulations on a dedicated scope of business-critical assets. If for example, an important business process is "Payments Processing", using the Scenario you will be able to answer the following business question: "Can an attacker potentially compromise the Payments Processing business process?". Each Scenario execution produces a risk score with attack paths findings toward all business-critical assets. Moreover, you will get a prioritized list of recommended remediation activities with the highest ROI to your efforts.
Conclusion
Security teams spend a huge amount of time asking questions like "Can an attacker potentially compromise the Payments Processing business process?" or "Are we adequately protecting our most sensitive CRM databases, file storages, and Admin users?". Without understanding what impacts your business the most, this is often a futile endeavor.
With the methodology outlined above in tow, you can move away from spray 'n pray efforts that diminish the effectiveness of your security program and begin to truly address what's most important for your business – not only in terms of technologies but in terms of the effect on the relationship to the core business.
By focusing on business-critical assets, your team will become significantly more efficient and effective – and better yet, it will signal to your C-suite and Board that what matters to them most is also your top priority. This synergy will allow for better communication and better alignment of priorities, which is a recipe for the successful operation of your business.
Note: This article was expertly written by Yaron Mazor Principal Customer Advisor at XM Cyber.