Two Things Every CISO Should Consider:

  1. “What critical assets do you have that are worth protecting?”
  2. “What happens if they’re compromised?” 

These were two questions I asked a CIO from a large Energy company when I had the chance to sit down with him recently.

He replied, “We have any inventory of our technology assets but have poor visibility into the critical information assets that we are mandated to protect.” He went on to elaborate, “….if we ever had a major breach it could be catastrophic simply because we don’t have a firm understanding of what our information assets are.”

It’s a powerful admission to make and the reality is that many organizations today are facing the same reality – whether they admit it or not.


When an IT department is asked to share an inventory of assets most will produce an inventory listing of their organization’s IT hardware servers, major applications, and networking gear. This is certainly a good start however there is so much more to inventory of assets than simply hardware and software. Within IT we can get so wrapped up in the latest technological trend and “shiny flashy things” that we lose sight of the main reason that IT exists:  which is to support the processing and protection of information. 

To be truly effective within the organization, asset inventories
should include:

  • Information Assets
  • Access and Related Privileges Assets
  • Hardware and Networking Assets
  • Application Software Assets


Asset inventories should also be organized with these accompanying key elements:

  1. Asset Owners – For every asset, organizations need to know who is ultimately responsible for managing the asset. Knowing who is responsible helps keep the Information Security Program aligned with the business priorities and helps to drive a culture of security accountability throughout the organization.

  2. Information Security Classification – Assets should be identified, labeled, and handled according to their level of sensitivity and value to the organization. Safeguards should be commensurate with the classification of an Asset.

  3. Risk Rating – Major threats and associated risk levels for every Assets should be identified across the organization.

Most CISO’s will tell you that the basis for their Information Security Program is security policy. While this maybe partially true I would argue that the basis for an effective Information Security Program is first understanding what their Assets are and secondly understanding the threats against those Assets.

Having an Asset Inventory (as described above) combined with a practical Risk Management Program should be the foundation pieces in any Information Security Program.  Without first knowing what your organization’s critical assets are and the associated threats against those assets; how do you know if the Security Controls identified in your organization’s Security Policy are enough for protecting those Assets? 

Questions like these shouldn’t remain unanswered for very long.


If you’d like additional direction on collecting your own Asset Inventory, or have already done so and are ready to take the next steps for your organization’s security management process, contact one of our consultants today!