Crown Jewels Analysis for Startups
Crown Jewels Analysis can be a fantastic cost-saving strategy for startups
Let’s be honest: for a cash-strapped startup, time is the second most precious commodity to money. What if I told you there is a well-studied security strategy that can save your startup both?
Crown Jewels Analysis (CJA) is a time-honored security strategy that has garnered attention and study from MITRE, Dragos and many more in the information security realm. The strategy is simple and geared perfectly for startups and mid-sized businesses who don’t have the cash, time or expertise to focus too much attention on security in their early stages.
The focus is simple: identify the Crown Jewels, or the most valuable assets in your business. The value can be gauged from the perspective of the company (what asset in our company is the most critical to success?) or the theoretical attacker (what asset in our company is the most valuable to an attacker?) and can include anything from critical data assets like databases, machine learning models or API’s to intellectual property like codebases, business strategies or legal documents.
After you identify the Crown Jewels, it’s time to start thinking about how to defend them. Is your API behind a load balancer? Are your passwords properly hashed? Do you have backups for your critical databases? Are your codebases using properly secured version control systems?
Here is why this strategy is great for startups:
Prioritization - Prioritizing your attention to focus on defending the most important assets in your organization means those assets should be safer. You are reducing the likely impact of a breach by lowering the likelihood that the most important assets in your organization are secured. Minimizing impact is one of the most important aspects of information security as it is the only aspect of risk (calculated as impact of an event taking place x likelihood of the event taking place) that you can really control.
Limiting overhead - Prioritizing the securing of your assets means you’re not wasting as much effort on items of lower importance. Should you fix the bugs that lead to minor information disclosures on your infrastructure, such as telling an attacker what version of a given web framework your application is using? Yes! Should you prioritize fixing that over securing a mission critical database accidentally left open to the web? YES! Limiting overhead doesn’t mean ignoring the small problems, it means ensuring that the time you spend securing your network and applications is spent efficiently by honing in on the Crown Jewels.
Security culture - Crown Jewels Analysis is a great way to start imposing security culture on your organization. Thinking like an attacker, prioritizing asset management and security aware analysis of your infrastructure are incredibly important aspects of security culture that you can start instilling early as a founder or technology leader.
If you are a security conscious founder or technology leader in a startup and you consistently worry about “how to start” securing your organization, CJA is a phenomenal way to get going. If you need a bit of help, please drop me a line and let’s start a conversation