The IT landscapes of companies and authorities are big, very big. Ensuring that all systems and data are fully protected to the highest standards at all times is a goal that virtually no company is able to achieve on a sustainable basis. The question is whether such an approach is indeed even the right one. Christian Polster, chief strategist and responsible for technology development at IT Security specialist RadarServices, speaks about the level of awareness and protection of corporate diamonds in the European economy and his basic idea for protecting the most critical “assets” of an organisation.

Mr. Polster, in order to align the development of your IT risk detection technology with the needs of your customers, you are in constant contact with IT security officers in companies from many different industries and the public sector. How would you summarise the current level of protection in the European economy in general?

Cyber security is high on the agenda in many organisations. There is a lot of investment and action here. Industrial companies are pioneers. Banks and insurance companies have been active here for years due to extensive compliance regulations. Nevertheless, the level of protection varies greatly from company to company. “It won’t affect us,” is something I still often hear when I visit companies for the first time and introduce our services. “IT security is important, but it mustn’t cost very much,” I am also told from time to time. That is why I cannot draw a consistently positive picture of a secure European economy. Unfortunately, there is a large attack surface and it is also being exploited through increasingly numerous and complex attacks.

What should companies focus on in terms of IT security?

Every company has its “diamonds”, i.e. highly critical data, systems, business secrets or processes – in short “assets”. It must be a special focus of IT to protect these in particular. The further digitisation progresses, the more IT security officers have to decide which systems, data and applications must be subject to which security level. It will no longer be possible to secure everything to the same extent. At the same time, critical assets must be extremely well secured.

This is where the problem begins. Mostly, organisations today are not aware of what exactly their “diamonds” are or which systems, data or applications must be particularly well secured to avoid risks that may endanger the continued existence of the company, such as the loss of customer confidence in a brand or product. IT security is today seen as a technical problem with a technical solution. The relationship between IT and the actual business processes in an organisation and company values is very often missing. This gap must be closed, however, in order to be prepared for further security-related digitisation. This is the only way to appropriately protect the critical assets.

So, in terms of the investments that organisations make in cyber security, less is sometimes more?

That is correct. Business leaders are becoming increasingly aware of the variety of types of attacks and points of entry, and how challenging the future of digitisation is – think IoT or artificial intelligence. As a result, they are investing more and more in IT security, yet this does not necessarily protect their critical assets better. Investment decisions should not only be seen through “technological glasses”, but always in terms of the benefits they convey for the protection of their own company diamonds.

With this in mind, how do you make the right decisions?

Some preliminary work is needed to identify the critical assets in an organisation. They are derived from business processes and corporate values, which are often complex and involve different business units, people and countries, or have different framework conditions. Assets therefore vary by industry and organisation. Nor should the complexity that exists in reality be reduced, as it could negatively affect critical IT asset security factors. The involvement of various internal stakeholders and external experts is recommended when carrying out this preliminary work.

The selected assets should then be subjected to a comprehensive risk check: what risks are they exposed to, which attackers could have an interest in attacking the assets and how well protected are the assets by the current security measures? This process leads to the gradual creation of a clear roadmap of where there are currently complete “blind spots” in the current security measures, where adjustments need to be made or, where appropriate, there is also potential to reduce security investments without the level of protection for critical assets sinking drastically.

The approach based on the determination of “corporate diamonds” rather than technology is therefore essential to this approach of IT risk evaluation. In the next step, the diamonds are considered from different perspectives: the importance for internal and external stakeholders and attractiveness for attackers. Finally, a priority list of tasks, required technologies and a feedback loop on the current IT security measures is created.