Far too many security conversations start with a list of tools and price points, when actually, the environment is the most important factor to consider. Before you ever sit down to make your lists of must-have and want-to-have defense devices, examine your organization’s information landscape. Consider which assets are your most critical, who has access to them and in what systems they reside. From there, you can begin to consider the best methods for protecting those resources. We call this a self-audit, and here are the basic steps for conducting one:

Ask executives to answer the three W’s.

Before you do anything else, ask three questions:

  1. What are we protecting?
  2. Where is it located?
  3. Who has access to it?

The answers to these questions should determine everything else your company does as it maps out its security strategy. Make your answers broad, and include ratings to help you understand how groups, people and processes interact with your most critical data. For example, you might rate interactions with intellectual property, email and core systems high, while ranking non-work-related systems low. Examine what level of information sits in your customer relationship management (CRM) and other systems. Ask questions of stakeholders to make sure the answers you get during this first step in the self audit are accurate.

Look at relationships and assign risk.

Use a mind mapping tool or some other kind of diagram to visualize how all of the critical systems in your environment interact with each other. The workflow you produce should note how the systems are connected, who uses each one, which communications channels are in place and whether there are automated batch jobs or other scheduled data flows to consider. (This can be a helpful exercise in terms of streamlining processes, as well as establishing security systems.)

With your map in place, assign levels of risk to each item, considering the ramifications if any system were compromised. This is a subjective activity, but you’ll get a good sense of where your potential pain points are if you consider both the value of the asset and the level of security of the workflows that pass through it. For example, if you have a system that employees can access through less-protected devices, such as tablets or smartphones, that should boost the level of risk you assign. Other elements that add to risk might include complex workflows, low employee awareness about threats, and data silos built into shared systems.

Build out layers of protection.

Once you fully understand your environment and its various levels of risk, you can begin crafting a strategy to improve your security profile and evaluating solutions to shore up weak spots. This is the time to consider what various security breaches would cost and to establish the budget for preventing such events. Regardless of the size of your company, you can defend your environment by building out layers of defense that reflect the value of your resources and the weak spots in your systems. Doing that effectively starts with an honest, complete security audit.