Measuring return on investment (ROI) for cybersecurity spending is notoriously difficult.  If you don’t get hacked, it is hard to prove the resources you invested prevented something from happening.  And you have to keep in mind that in cybersecurity resources are not just the dollars.  Money, time and people are all limited resources when securing your digital crown jewels.

So you have to find areas where you are confident that investment does materially lower your risk.  A good place for C-Suites and Directors to start is by investing in answering these three questions about your critical data:  What is it?  Where is it?  Who has access to it?

1.  What is our critical data?  What data if stolen, destroyed, exposed to the public or manipulated would have a strategic impact on the business?  It might be your business strategy, it might be your customer data base, it might be the details of your next M&A, or it might just be your emails on what you think about Angelina Jolie.  Saying all of the data is critical is a cop out.  You cannot and should not protect it all at the same level.  Figure out what the crown jewels are and focus there.  While you are at it, look at all the data you are collecting and storing.  Do you really need everything you are collecting and how long do you really need to keep it?  It is easy and cheap to store data, but the more data you have the bigger your attack surface is to the hacker.

2.  Where is our critical data?   “In the cloud” is not a sufficiently detailed answer.  Find out where the data is and I guarantee you there is more than one copy and it is in more than one location.  There is an appropriate balance between redundancy, resiliency and security.  You obviously need backups for a variety of cyber and non-cyber attack contingencies, but every copy has to be kept current and it has to be secured.  Invest in attaining a balance that meets your company’s risk appetite and tolerance.

3.  Who has access to our critical data?  Which humans, by name, can access the data?  Are they the right humans?  Do they really need access to all of the data? Are there humans on the list who have changed jobs in the company or retired three years ago?  You have to control access to the data.  It is resource intensive to understand and control access to the data, but it is foundational to security. Access control is necessary to identify if an outsider has gained access by stealing a legitimate user’s credentials or if a malicious insider is misusing their privileges.

Many companies cannot answer these three questions with any degree of confidence, so make sure yours can.  And then, if you don’t like the answers, work with your CIO and CISO to figure out where to invest time, people and money to lower the risk to your digital crown jewels.