You cannot protect what you can’t see
- Know your assets and threats based on industry, size, image, political, social factors, etc.
- Conduct high level identification and assessment of the threats
- Produce suitable mitigation strategies/countermeasures for the threats until the risk is at an agreed level by the business
Without knowing your assets and understanding the threats against your assets it is extremely difficult if not impossible to protect your environment.
Identifying your assets will be discussed in a later blog. Let’s quickly discuss threats.
Each industry has its specific threats and they range from amateurish to well-funded nation states.
There are models available to help map out what threats your organisation could potentially face.
The areas to consider are:
- Industry-Is it a high competition industry
- Size-How large is the organisation?
- Image-Does the company have a great dependency on its image/brand, what should happen if it were to be compromised?
- Political-do political events affect the organisation?
- Social-Is the organisation operating in an environment where social tensions work against the organisation?
Each area has a specific threat and depending on the threat, a suitable risk mitigation strategy should/must be considered, reviewed and implemented.
To put it into perspective, your corner store is probably not going to be targeted by a nation state.
However, a large/vocal pro-Western company may be a target of an anti pro-Western organisation, political affiliation, etc.
For each threat there is a countermeasure, mitigate, accept, insure, delegate, etc.
Once all of this has been considered, a scope can be defined to allow for the security team and affiliates to adhere to and follow.
By understanding the scope, it allows for any organisation to help understand and formulate an appropriate strategy to counter the threats.
Naturally, this will need to be reassessed on a regular basis (think diversification, acquisitions, etc) to ensure that the organisation is protected.