“If you try to defend everything, you defend nothing.”
Alexander the Great
Identifying the most critical assets
In a world of finite resources, irreducible uncertainty, and competing priorities, organizations must develop robust & accurate critical asset identification practices and determine the necessary layers of cyber resilience required for these systems.
Critical assets are business or technical applications that underpin several key business processes. Compromise of these assets with impact on confidentiality, integrity, or availability may result in severe effects on the organization, including financial, reputational, operational, health and safety, strategic, and legal or regulatory consequences.
Focusing defenses where they matter most must be a top priority for business and technology leaders alike, enabling organizations to maintain tactical superiority during a sophisticated cyber incident unfolding. Critical assets must be identified, designed, developed, implemented, and maintained appropriately, leveraging tailored cyber resilience best practices.
This approach is particularly relevant when addressing the most advanced adversaries with the required levels of capability of executing highly targeted & orchestrated campaigns with potential long-term operational impact on organizations.
These priority threat actors target not only the most vulnerable or least protected assets to carry out their mission. They develop tactical opportunities by attacking assets that maximize the chances of achieving campaign objectives, referred to as high value targets [1].
Identifying, securing, and continuously governing high-value targets substantially enhances an organization's cyber resilience. This approach allows you to allocate your security budget more effectively, ensuring that you neither overspend on controls for certain critical assets (crown jewels) nor underspend on others (high value targets).
References: