There are two tasks in this section, but we examine them side-by-side as the results of one will impact on the other, and vice versa. The two tasks are:

• working out which components of your ‘technical estate’ (that is, your systems, data, services and networks) are the most critical to your organization’s objectives

• understanding what your technical estate comprises, so that you can establish a baseline which will inform both your risk assessments and the deployment of your defensive measures

While these two tasks have separate purposes, you will need to have some baseline of your technical estate in order to understand which parts of it are mission critical. At the same time, you will need some way to prioritize which areas to baseline, as doing this for your entire technical estate would be a very resource intensive task.

As with any other business risks, your organization will not be able to mitigate all cyber security risks at all times. So the Board will need to communicate key objectives (it might be ‘providing a good service to customers and clients’, for example) in order for the technical experts to focus on protecting the things that ensure these objectives are fulfillled.

The Board should also consider what is most valuable to the organization. For example, the Board might know that a specific partner is crucial to the organization and that a compromise of their data would be catastrophic. This should be communicated to technical teams, so that they can prioritize protecting these ‘crown jewels’.

It is critical that this is an active and ongoing discussion between Boards and their experts:

• Boards will have business insight that technical teams may not have (such as which particular partner relationship must be prioritized)

• technical teams will have insight into the enablers for key objectives (such as which networks or systems do particular partners rely upon)

Only by bringing these two together can you get a full picture of what is important to protect. Once you have this picture it is likely the Board will still need to prioritize within that list. This understanding will not only help focus the aim of your cyber security, but will also inform the assessment of the threat your organization might be facing.

Your crown jewels are the things most valuable to your organization. They could be valuable because you simply couldn’t function without them, or because their compromise would cause reputation damage, or it would incur financial loss. Some examples could be:

• bulk personal data

• intellectual property

• your public-facing website

• industrial control systems

This provides information that underpins your risk decisions in two ways.

Firstly, it influences the options you have. Knowing which systems are connected to each other, who and what has access to particular data, and who owns which networks are all critical to setting good defenses. This information will also be required in an incident to make an assessment of the damage an attacker could be inflicting, or the impact of any remedial actions you might decide to take.

Secondly, it might influence your risk assessment. Sometimes a risk comes not from a threat to an important asset, but from a vulnerability in your organization’s systems. Many incidents are the result of vulnerabilities in older, legacy systems, and the incidents arise not because the vulnerability can’t be defended against, but because the organization didn’t have a good enough understanding of their systems to realize they were exposed.

Understanding the entirety of your estate can be a daunting, or impossible, task - especially for organizations whose networks and systems have grown organically - but even a basic understanding will help and a good understanding of your priorities can help focus this task.

Based on the Board’s priorities you need to identify what parts of the technical estate are critical to delivering those top-level objectives. This could be systems, data, networks, services or technologies. For example, maintaining a long term customer base may be a priority objective. There are lots of ways that good cyber security could enable this. It could be:

• securing a customer database to protect their data

• ensuring resilience of the order processing system to ensure deliveries go out on time

• ensuring availability of the website so that customers can contact you easily

It can sometimes be difficult to identify these dependencies as they are such an integral part of your operation that they can be taken for granted, but the questions below can help. Doing this in conjunction with baselining your technical estate will also help to potentially identify assets that you weren’t even aware of, and are actually critical to providing certain services.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes ‘good’ cyber security in terms of establishing your baseline and identifying what you care about most.

Some questions to consider that may help in identifying these dependencies include:

• What are our ‘crown jewels’ (that is, the things our organization could not survive without) ?

What requirements must we meet (such as legal or contractual requirements) ?

• What do we not want to happen, how could that come about ?

Cyber security strategy should be integrated into your organization’s strategy and your strategic priorities should guide defensive efforts. A good organization should have a process for ensuring these strategies remain aligned and should be able to demonstrate how investment is focused on those priorities.

For example, if a promise to customers about their privacy is a priority then you might:

• identify what could jeopardize this promise e.g. the loss of their credit card details

• identify what technical assets are required to secure those details e.g. database, access management system

• prioritize defending these assets when implementing cyber security measures

• audit measures regularly

If you are a large organization and your systems have grown organically, understanding the detail of your systems, devices and networks may be impractical. At a minimum you should be aware of what level of understanding you do have and the potential risks that any undocumented systems might pose. Ideally you want to start with a good idea of what your technical estate looks like and then have a process to ensure any changes are considered and recorded to keep the baseline up to date. This baseline might include information such as:

• inventory of the hardware and software used across the organization

an up to date register of systems, including all internet-connected, partner-facing, systems and networks

• details of data sets; which services, systems and users have access to them, where are they stored, how are they managed

Most organizations will have suppliers or partners with whom they receive, provide or share information, systems or services. You must consider this in your baseline of your estate as these are potential entry points to your organization.