Business-savvy CISOs focusing on their Crown Jewels as COVID Squeeze Budgets

The COVID pandemic has shattered several businesses, and those left afloat were plunged into uncharted waters. Several cybersecurity teams, already under tremendous pressure before the pandemic, are feeling the heat. Cybersecurity budgets are dwindling as executives are left with no option but radically cut down costs.

While it's easy to play the victim and lean back, leading CISOs are taking this opportunity to rethink their priorities and beef up defences around their most valuable digital assets. As I wrote in my bestselling book, The Five Anchors of Cyber Resilience, crown jewels represent the most critical information assets, which, if compromised, could severely undermine the enterprise’s bottom line, competitive advantage, reputation, or even threaten its survival.

Why does this even matter?

There is always a temptation to mark every digital asset as a crown jewel, but that is a great miscalculation. As several high-profile data breaches have proved, bigger cybersecurity budgets don't necessarily translate to greater business resilience. Unfortunately, this is a constant mistake we see across many industries: Cybersecurity teams attempt to spread themselves thinly across the entire digital ecosystem, like vegemite on toast.

To be highly effective, however, CISOs have to prioritise ruthlessly. Repivoting your cyber resilience strategy towards your crown jewels offers three distinct advantages:

1. This is risk management 101. By disproportionately allocating limited budget towards systems of highest risk and products customers most value, the CISO will naturally align the cyber strategy with critical business priorities.
2. It significantly boosts cyber resilience without exerting additional pressure on cybersecurity teams. On the contract, attempting to apply the same levels of protection across every asset sucks morale, leads to constant fatigue and costly mistakes.
3. Obviously, no enterprise has an unlimited security budget. One-size-fits-all wastes shareholder’s resources and diffuses the effectiveness of cybersecurity controls, leaving critical assets exposed to excessive levels of cyber risk. By focusing on what matters, business-savvy CISOs can accelerate cyber resilience and significantly lower the cost of security.

Here are some five key recommendations to get this right:

1. The process of identifying crown jewels can be protracted, depending on the size and complexity of the enterprise. A prudent strategy is to start with your intellectual property assets, those digital assets that underpin your competitive advantage. These include for example inventions, board deliberations, trade secrets, proprietary formulas and processes, prototypes and blueprints, technical designs, advanced research, confidential documents, manufacturing plans, software code, corporate and pricing strategies.
2. Cyber resilience is a business matter, not just a technology issue. An effective crown jewels assessment, therefore, requires the active engagement of key business stakeholders. This promotes transparency into cyber resilience spend, reinforcing business buy-in and support.
3. Consider critical IT Infrastructure that supports your mission-critical systems. Critical infrastructure - such as domain name service (DNS) servers, authentication systems, cloud services console, perimeter firewalls, often present single points of catastrophic failure but are often overlooked during crown jewel assessment.
4. Institutionalise crown jewel assessment into the systems development life cycle, and ensure non-negotiable controls are built into new high-value digital assets from the outset.
5. Many enterprises make crown jewel assessment a once-off exercise. Such a tick-box approach is short-sighted and ineffective. The revalidation of crown jewels should not be a once-off exercise but should continuously adapt to changing data protection laws, business priorities and threat landscape. We recommend a formal assessment at least every six months.

When done right, crown jewel centred cyber strategic can help organisations survive increasingly sophisticated cyber threats at a time businesses are gripped with uncertainly, and cybersecurity budgets keep shrinking.

To get a complete grasp of the presented action plans and recommendations, download our CISO Playbook: Protecting the Crown Jewels for free.