How do you identify and protect the “Crown Jewels” of your architecture?
Sort by:
I mean, the reality here I struggle with because I talk to people who emphasize the notion of crown jewels. I actually disagree with it fundamentally. And here's why: when thinking about data as a crown jewel component, what it really protects against is compliance, regulatory fine litigation. Consumers have been exposed more times than we can count. And we're almost desensitized to it at this point. Map the critical data flows, not the actual crown jewels of data. If your data all traverses this one system that nobody can patch. Nobody wants to turn off. That's where the real risk is for the organization. Because when that goes away, all the connectivity and system flows fall. And so it became more of a crown flow, like what are the key flows of the organization? At JP Morgan, it was how does money move? And when you ask somebody how money moves, what you find especially for most SNBs is that it's email. And it's all in email systems that are not well logged, tracked, monitored. It's a hot mess. So, most organizations fail to understand their actual ecosystem of data flows. And that creates a fundamental core issue in ever trying to tackle the supply chain.
Yeah. I'm glad you brought that up, Anthony. I think you articulated well, that data flow sometimes really becomes that crown jewel data flow. That's a real salient point that I think we should all remember. If you do that crown jewel flow, then you can figure out how deep you go. Consider below the operating system, security firmware bios, right? In some contexts, highly critical. Half of the folks I’ve talked to said, "I'm not going to go deal with it on my PC servers or whatever because I don't have the time. And I'm just going to assume when I buy the laptop from Dell, they're doing a good enough job, right?"
They're not.
Yes. From a crown jewel standpoint, in the food manufacturing business it's your product formulations, your recipes, how you manufacture. Those are the crown jewels: what are the ingredients to the products that keep the lights on across all of our business lines. That's where we spend a maximum share of resources to secure and protect.
It's very important to identify what the crown jewels are, because I think everyone agrees that here is no such thing as 100% percent bulletproof cyber defence. It's just impossible. So depending on your business, you can say I'm going to protect my IP no matter what because these are my crown jewels. I was on the board of Ellie Mae. Ellie Mae processes 40% of all mortgages in the United States. Their crown jewels were the customer data.
There's not a cookie cutter that says this is the most important in every business. It really goes back to understanding what the business is, what it's about, what are the key components that really support the business operations? And then you go from there and figure out what should be my top priority from a risk management, third-party risk perspective.