One of the many challenges that cybersecurity teams of all sizes face, is knowing where to focus their limited efforts and resources. This is why one of the first things any cybersecurity team should be preoccupied with is obtaining a clear picture of the business-critical assets of their organization, and to maintain a proper inventory of the technology used – essentially mapping out the organization to identify the most needed areas to secure. In a recent article, The Hacker News shares a four-step approach to mapping and securing the most critical assets of an organization.

Step 1: Identifying Business Processes
The first thing to do is identify and map out all the business processes in the organization. This is challenging if a recent risk assessment has not been performed. The risk assessment is the most useful way to identify which assets are most important to the organization. If a proper risk assessment has not been completed recently, another good option is to use the “follow the money” approach:

• Identify the inbound money flow (how the organization generates revenue).
• Identify the outbound money flow (how the organization spends money).

This option helps with initial discovery of business processes as well as to identify underlying technologies.

Step 2: Map from Business Processes to Technology Assets
Once there is a better picture of the most important business processes, a map of the underlying technology assets can be created for each process. This includes application servers, databases, secure file storage, privileged identities etc. These end up being the business-critical assets. It’s also important to identify file storages that hold the most sensitive data as business-critical assets.

Step 3: Prioritization
Once the technology and critical assets that are considered most critical are known, the team can prioritize which ones to begin securing first. Since it’s impossible to focus on everything all at once, it’s imperative to have business-critical assets prioritized to ensure the most critical areas are secured with proper timeliness. An important question to ask is: “what are the top three to five areas or processes that are most important?”

Step 4: Implementing security measures
Once the team has a good understanding of what the top business-critical assets are, and a prioritized list of which ones are most critical to the organization, security teams can be mobilized to implement security best practices with those assets in mind. This step will not only become far easier, but once a clear map of the organization has been made and assets prioritized, security efforts will become significantly more efficient and effective.

By utilizing the above methodologies, security teams can avoid using ineffective spray’n pray tactics and begin to truly address the most important areas of the organization, greatly enhancing their security posture. For more information, visit The Hacker News.