With this in mind, how do you make the right decisions?
Some preliminary work is needed to identify the critical assets in an organisation. They are derived from business processes and corporate values, which are often complex and involve different business units, people and countries, or have different framework conditions. Assets therefore vary by industry and organisation. Nor should the complexity that exists in reality be reduced, as it could negatively affect critical IT asset security factors. The involvement of various internal stakeholders and external experts is recommended when carrying out this preliminary work.
The selected assets should then be subjected to a comprehensive risk check: what risks are they exposed to, which attackers could have an interest in attacking the assets and how well protected are the assets by the current security measures? This process leads to the gradual creation of a clear roadmap of where there are currently complete “blind spots” in the current security measures, where adjustments need to be made or, where appropriate, there is also potential to reduce security investments without the level of protection for critical assets sinking drastically.
The approach based on the determination of “corporate diamonds” rather than technology is therefore essential to this approach of IT risk evaluation. In the next step, the diamonds are considered from different perspectives: the importance for internal and external stakeholders and attractiveness for attackers. Finally, a priority list of tasks, required technologies and a feedback loop on the current IT security measures is created.