We previously wrote about what it means to be a security-obligated executive – how to identify threat warning signs and prep against cyber-attacks. Historically either the C-suite and the security teams haven’t spoken at all, or security teams haven’t spoken to execs in a simple enough language to be understood. At McAfee, we often educate our customers on the ways they can impact the security of an organization by simply opening the lines of communication.
There are major disconnects we often see when auditing the security of an organization. A typical security team will assess the ability to defend against generic threats or attacks and will develop a plan to fill in those holes. More often than not, the resulting roll-out plan is missing a key ingredient: an explicit understanding of the company’s assets that need to be protected.
To guarantee that the security strategy is aligned with the business objectives, we created an exercise to uncover business risks in a non-technical way so that the business risk and security plan dovetail together seamlessly. What we call the 3 R’s: Riches, Ruins and Regulations, helps executives and security professional speak in a common language. The exercise is designed to uncover critical and valuable assets that are core to the line of business. Oftentimes it is only the line-of-business employees that are aware of the presence and relevance of these assets and they are outside the purview of the security team. Because of this disconnect, the security controls deployed on these systems are often inappropriate in relation to the risk those assets pose to the organization.
How it works is simple, the first step is to identify the 3R’s, then based on the results, the security team employs the analyses to keep the company secure:
- What assets can be targeted that would be valuable to a thief?
- What are the ways assets can be stolen?
- Who would be most likely to steal this asset?
- How would a thief go about stealing this asset?
- What could you target specifically to ruin our reputation?
- What direct costs or liabilities would our company incur if the asset is stolen?
- What indirect costs, such as harm to reputation, would our company incur if the asset is stolen?
- What compliance rules does our company abide by?
- Who is responsible for compliance?
- Who audits our company’s compliance with these different regulations?
- Do we have any contracts with penalties for non-compliance?
The primary purpose of the exercise is to uncover assets of significant value if stolen, potential attacks that might cause great damage, and finally the costs associated with failure to meet regulatory requirements. Identifying the 3 R’s will help the security-obligated executives have a clear vision of security as it relates to their company, which is the first step against cyber-threats and attacks.