What is important to your organization and who wants it?

It is important to understand what is important to your organization in order to properly protect the organization from potential threats. The information security professional must look beyond just information technology and take a look at the organization they work for and understand its concerns.

The information security professional must understand documents such as the corporate mission and vision statements. These documents answer questions such as:

• What does the organization do?
  • Do you make car tires, or do you provide services to the elderly?
• Who are the organization's customers?
  • Who receives your services?
• Who is the organization?
  • What is the organizational culture? How does the organization want to be viewed?
  • Who are your third-party partners within your business structure?
    • Use Target, Home Depot, and now Equifax as examples, where access to the organizations' information systems was achieved through third-party vendors

Answers to questions such as these can help the information security professional to understand what it is they are trying to protect. Understanding the business of your organization will help you better understand who may be interested in getting access to your intellectual property or to the information that you may serve as the custodian.

Taking this a step further, it is important for the information security professional to reach out to and work with all levels of management within the organization. In reaching out to the functional mission-driven parts of the organization, you will begin to understand how these groups are taking the organization mission and vision and applying it to their day-to-day work.

It is at this point where you begin to understand where trade secrets and intellectual property exist and what the impact would be to the organization if this information was:

• C: Provided to a competitor
• I: Altered
• A: Destroyed

While you are working with mission-focused groups within the organization, it is very important to present yourself as a person that can help complement a business need as it relates to protecting their information and helping them to continue doing business. When you are working to identify business-critical information, you should not be discussing technology. You should be focusing on business functions and the important data within those business functions:

• If you discuss financial concerns with finance, you will find allies
• If you discuss IT security with finance, you will be ignored