Preview Mode Links will not work in preview mode

Defense in Depth


May 7, 2020

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-asset-valuation/)

What's the value of your assets? Do you even understand what they are to you or to a criminal looking to steal them? Do those assets become more valuable once you understand the damage they can cause?

Check out this post for the basis for our conversation on this week’s episode which features me and Allan Alford. Our guest is Bobby Ford, global CISO, Unilever.

Thanks to this week's podcast sponsor, CyberArk.

CyberArk

At CyberArk, we believe that sharing insights and guidance across the CISO community will help strengthen security strategies and lead to better-protected organizations. CyberArk is committed to the continued exploration of topics that matter most to CISOs related to improving and integrating privileged access controls.

On this episode of Defense in Depth, you’ll learn:

  • Allan revised the well known formula for risk (Risk = Likelihood x Impact) to reflect an asset's importance. So instead, Risk = Threat plus Vulnerability as aimed at an Asset.
  • It's hard to get a stakeholder to tell you the value of their assets. Instead, ask them the reverse. Describe the absolute worst breach scenario. What's the second worse? And then on down until you have an understanding of the hierarchy of the assets.
  • A business impact analysis (BIA) will also help uncover asset valuation. Allan Alford has a BIA calculator on his site.
  • The simple question of "What are you defending?" is one that most business leaders struggle to answer. They need to be able to answer that question often.
  • Once you know what to defend the question is how much to defend and then after that is there anything that doesn't need to be defended.
  • You may actually not be able to start this process if you doing know what your asset inventory is. This should be managed with a discovery tool and multiple iterations of discovery.
  • While you're valuing your own assets, try to make sense of what these assets mean to an attacker. That will help you answer the question of "how much to defend".