A while ago I was talking to a company’s security team and was inquiring about their concerns when it came to cybersecurity issues. During that conversation it was rather surprising that incident response (while important) was voiced as the top issue. I found this surprising because, after all, if you don’t know what you have, how are you going to be able to know when you have an incident? Those conversations brought about the creation of this below graphic where I’m attempting to articulate how each of these management disciplines build on the lower levels. Without a lower level, it’s impossible to have a quantifiable level of assurance that your higher levels are successfully managed.
A couple of examples to demonstrate what I’m saying. If you don’t know what your operating environments are, how can you guarantee they are configured correctly? If you don’t know from a trusted source what your products/services are, how can you demonstrate compliance with contractual obligations? In short, the answer is you can’t. While point solutions are helpful and reduce your attack surface, it’s far from holistic and will not be as effective as the risks you face likely are.