Before you can really have any meaningful conversation about cyber security as a director, you need to understand what critical digital assets your organisation has.
Getting to know your critical digital assets, sometimes referred to as “the crown jewels”, can be like opening a can of worms, but extremely cathartic at the same time.
If cyber security isn’t already getting board oversight in some way, this can be a great place to start. Knowing your critical digital assets can be as important as knowing your critical financial numbers.
Being armed with knowledge of your critical digital assets will help inform cyber-related conversations and decision-making on topics including:
- Training and defence needs
- Attack response and recovery considerations
- Budget requirements
Ultimately, understanding your critical digital asset portfolio helps you understand what needs protecting, why and what defensive measures need to be prioritised for deployment to protect them – or alternatively, what’s at stake if suitable defence and recovery measures are not put in place.
You will want management to prepare and maintain an appropriate register of critical digital assets, and possibly an accompanying report to explain and summarise it. The board has a role in this, as explained further on.
Depending on various factors, including available resources, organisational complexity and the balancing of other priorities, the board may wish to delegate some of this work to a sub-committee, with board oversight as deemed appropriate. For example, one or two board members could sit on the sub-committee, with reporting back to the entire board done on a regular basis.
What are critical digital assets?
Digital assets commonly fall into the following categories (provided with a few common examples, but the lists could be much longer):
- Digital services and products – that are made available or delivered to your customers by you. Examples: website, on-line ordering, cloud-based software/SaaS, on-line learning, search, streaming, WiFi and hardware.
- Systems – used to support and deliver your services and products. Examples: web and file servers, databases, e-mail, telephone, production and processing equipment and systems.
- Technologies – that underlie the systems. Examples: software – think operating systems, device settings and specific applications and how they are accessed; blockchain, machine learning and artificial intelligence.
- Data – used to deliver and resulting from the delivery of your services and products. Examples: anything related to customers/clients/patients/suppliers/vendors, products, financial, payroll, physical asset attributes, patents and source code.
- Networks – across which your systems run. Examples: internet connections, mobile/cellular networks, local area networks/WiFi, virtual private networks (VPN).
Digital assets can be yours “on premises” e.g. in your office, a third-party supplier’s “off premises”, e.g. in their data centre, or a combination of both.
Critical digital assets are the digital assets of the highest value to an organisation and can go hand-in-hand with the highest value outcomes an organisation strives to achieve.
In a sentence, a critical digital asset could be defined as:
A digital service, system, technology, data store or network, which if breached, compromised or impaired, could cause an organisation to fail in achieving or maintaining a highly desired outcome.
As a board you may wish to review, challenge and, if deemed appropriate, revise that definition to suit the context of your organisation.
Identify organisational outcomes of highest value
Identifying critical digital assets first requires the board to identify, nominate or validate the organisational outcomes it considers most important, for several reasons:
- To ensure the approach taken identifying critical digital assets marries back to the organisation’s priorities and strategy, rather than being influenced by other factors, such as a persuasive executive who believes their assets are the most important.
- To provide management and the personnel preparing the register of critical digital assets with context on where to focus.
- To help avoid registers and reports being overly complicated with unnecessary, less critical assets.
Tip: If your organisation is starting out with identifying critical digital assets and wants to get a feel for how the process works before going all-in, pick one or two really important organisational outcomes to get going, then circle back to consider others as you gain confidence.
Consider the following examples of sources of organisational outcomes:
Purpose and objectives of the organisation
- Company constitution
- Legislation (for government entities)
Key business priorities and objectives
- Corporate plan strategic initiatives (desired outcome: achievement of initiatives)
- Key performance indicators (desired outcome: achievement of KPIs)
- Key risk indicators (desired outcome: to be within tolerance)
- Legislation, regulations (desired outcome: to be compliant)
Key products and services the organisation delivers
Beyond the obvious “just knowing what products and services you provide”, consider delving into the following to validate assumptions:
- Financial statements (desired outcome: protection of high revenue streams)
- Key contracts (one-to-one, one-to-many) (desired outcome: mitigation of risks such as financial and reputational)
- Service level agreements (one-to-one, one-to-many) (desired outcome: mitigation of risks such as financial and reputational)
Supply and distribution of products and services that are compromised, or that can become compromised, can have a devastating impact on consumers onward in the supply chain as well as you as the supplier. Customer recourse against the organisation and the impact that could have needs to be considered.
Key areas of risk
If your organisation has a risk management framework, it’s logical that digital asset criticality links to agreed definitions of consequences, levels of impact and likelihood.
If as a board you have agreed tolerances, you might only want to hear about assets that, if compromised, have the potential to result in events that sit outside of tolerance.
For organisations without sufficiently mature risk management reference points, you’ll want to be thinking in terms of consequences such as:
- Financial – e.g. losses exceeding $25k
- Reputation – e.g. significant negative public attention
- Regulatory / legal / contractual – e.g. major litigation
- Health and safety – e.g. serious injury or worse
- Quality of service – e.g. downtime exceeding 1% of any 24 hour period
Prioritise organisational outcomes of highest value
With outcomes of highest value to the organisation identified, it’s important that they are prioritised, which can help ensure the most critical digital assets get identified sooner.
If this whole process feels overwhelming, as mentioned earlier, pick and agree on one high value outcome and move on; it’s better than not picking any and not progressing.
How critical digital assets will be identified and how directors can use the information
With prioritised organisational outcomes identified, or verified, by the board, management will have context on where to focus.
Management can start to prepare and maintain an appropriate register of critical assets, and an accompanying report to explain and summarise it if appropriate.
Expect to see a summary of critical digital assets mapped to the outcomes of highest value to the organisation, including high-level insights that outline:
- The role the asset plays in the context of the outcome(s)
- What could cause compromise of the asset
- How compromise of the asset would be detrimental to the identified outcome(s)
- The likelihood of compromise occurring
- What’s currently done to protect the asset and mitigate negative consequences, and
- What more could be done to protect the asset and minimise negative consequences.
As a board it is your job to consider and challenge what you are presented, and if appropriate, decide how to support or direct management to handle identified risks, keeping in mind:
- Avoiding the risk entirely is often impossible, even if unlimited investment is an option
- Reducing the risk can sometimes be achieved relatively more cost-effectively than avoiding or transferring
- Transferring the risk, for example through insurance, is becoming increasingly more difficult, and
- Accepting the risk may be your only choice if all other avenues have been explored and implemented.
In any case, you’ll want to ensure your organisation has a good response and recovery plan in place, but that’s a topic for another time.
Conclusion
With an understanding of your critical digital assets, you’ll start to develop a much clearer sense of how important cyber security is to your organisation and how it can impact your organisation’s strategy and achievement of objectives.
This isn’t a set and forget activity. You’ll want to review annually or as and when organisational objectives get updated, and it will be prudent to review as the digital asset base evolves, for example as new systems are introduced, replaced or retired.