It’s no secret that we’re in the information age and the rise of the CIO to prominence in most organizations reflects that. Google, Facebook, Amazon (?), are all large companies whose entire business model is based on the flow of information from creators to customers. So if that’s the new supply chain, can we leverage concepts from the physical world to the virtual?
With physical goods we have centuries long patterns for value flow, risk assessment, and optimization strategies. Those can include everything from accounting for weather along the transportation route, geopolitical disruption of critical goods, regulatory oversight requirements, and criminal activity – from fraud to hijacking to shrinkage. Companies that operate in the physical world understand very well how to get from materials to goods to customer to cash.
Yet those same companies often neglect the information supply chain that follows the goods. While this is starting to change, as the interest in using blockchain to track products shows, most organizations are only focusing on sections of the overall business process, leaving gaps for attackers (either murphy or malice) to exploit. The approach harkens back to the 90’s and early 00’s, to the days of business process re-engineering and enterprise architecture.
We first map out the core business processes – from raw materials, through manufacturing, to delivery to customers, and ultimately to cash to the business. Once we have those processes identified, at each stage, we identify the critical information assets required as part of the step, and conduct a threat and risk assessment for each one. We often find that a piece of information that’s critical at one stage of the process (and highly secured there), actually originates much earlier in the workflow where it may not be critical and properly secured. Likewise, information that’s critical at one stage, may later not be important any longer, yet expensive security practices continue beyond the ‘expiration date’, wasting resources that could be more effectively deployed. We don’t continue to use armed guards after the semi-trailer is empty.
Of course, records retention policies and regulations, litigation, and audit requirements make extend the lifespan of information beyond it’s useful date, but that’ll all come up as part of this process. Having a good handle on the information lifecycle allows for defensible destruction policies that are often missing from most organizations. Have you purged your email recently?
The key here is that all this work then drives cybersecurity policies to a new level of maturity – ensuring that there’s complete coverage and appropriate investment based on business risk. So for a late new year’s resolution, let’s make sure that we take time from the day-to-day headline-driven work, and work with our business stakeholders and CIO’s to document, assess, and secure, the information supply chain.