Beyond the Balance Sheet: Expanding Asset Inventories for Comprehensive Cyber Risk Assessment

In an era where digital threats loom large and cybersecurity breaches regularly make news headlines, a robust cyber risk assessment is an important component of an effective cyber risk management program.

A crucial, yet often overlooked, component in fortifying digital defenses lies in the comprehensive understanding of what we are protecting – our organizational assets. Creating an inventory of organizational assets for a cyber risk assessment is not as straightforward as one might expect.

In fact, comprehensive asset listings and traditional measures are often insufficient. By broadening our perspective on what constitutes an organizational asset or resource, we can equip ourselves with more useful tools for cyber risk analysis and assessment.

The Role of Asset Inventories in Cyber Risk Assessment

Asset inventories are the bedrock upon which many effective cyber risk assessments are built. At its core, an asset inventory is a detailed catalogue of an organization's resources – but it’s more than just a list. It’s an insight into the operations and function of the organization, showcasing what’s at stake in the event of a cyber incident. In cybersecurity risk management, knowing your assets is critical for managing risks; you cannot protect what you have not identified.

A comprehensive inventory serves as a map in a cyber risk assessment by guiding cybersecurity professionals to explore potential threats and vulnerabilities relevant to the assets. By understanding which things provide value – their nature, location, and importance – we can identify how and where threats could emerge.

The qualitative aspect of knowing “what” exists is enriched by understanding “how much” is exposed to threats. This is where quantitative cyber risk assessment can be especially useful.

By assigning value to different assets, organizations can prioritize their security measures based on the expected impact. This approach assures that defense resources are allocated efficiently, focusing on protecting resources that, if compromised, would have the most significant adverse effect on the organization.

Beyond the Balance Sheet: Assets and Resources

If accounting records or IT asset inventories are used as a starting point, the asset inventories will begin with items on the balance sheet: servers, workstations, databases, and network infrastructure. These are undoubtedly crucial, but such asset listings may still be incomplete.

Comprehensive attempts should include critical and sensitive systems and data, including data that the organization creates or is responsible for but doesn’t own, such as customer and third-party data. These overlooked assets may not be listed on balance sheets but can still play a pivotal role in the organization’s cyber risk exposure.

The contemporary digital landscape demands a paradigm shift – a move towards a broader, more inclusive perspective of organizational resources, as indicated in NIST SP 800-30 (see below). This broader perspective includes developed intangible assets and resources that are integral to the organization's functionality and system of value creation.

Created intellectual property, proprietary algorithms, customer data, brand reputation, and even employee time and expertise constitute resources that could be negatively impacted by cyber threats. Additionally, operational aspects such as supply chain dependencies and business processes could be critical resources in the context of cybersecurity.

In the illustrative data included in the Cyber Risk Assessment Template available at Vision.cpa, the listing refers to resources, instead of assets, with this broader scope in mind.

Resource listing on the Cyber Risk Assessment Template

By expanding the asset inventory to include these broader categories, organizations can develop a more comprehensive understanding of what needs to be included in their cyber risk assessment. This expanded view not only prepares organizations to defend against a wider range of threats but also helps to align cybersecurity efforts with the organization’s overall strategic objectives.

Frameworks to Guide the Expansion of Asset Inventories

Expanding asset inventories to encompass a broader range of organizational assets necessitates a structured approach. Several conceptual frameworks can guide such an expansion, providing a foundation for systematically identifying and categorizing diverse assets.

• Resource-Event-Agent (REA) Model: Originally developed for accounting systems, the REA model can be adeptly repurposed for cybersecurity asset inventories. By identifying Resources (assets and other things that provide value), Events (interactions or incidents that affect resources), and Agents (entities or individuals interacting with the resources), organizations can gain a comprehensive view of their assets in the context of cybersecurity.

• COSO Enterprise Risk Management (ERM) Framework: The COSO ERM framework, widely used for risk assessment, emphasizes the importance of identifying all forms of assets as part of an organization’s risk profile. This includes intangible assets and their potential impacts on strategic objectives, offering a broad perspective essential for cyber risk assessments.

• ISO 31000 Risk Management: While ISO 31000 is a risk management standard, its principles can be applied to asset identification. It encourages organizations to consider the full range of risks (and by extension, assets) that could impact their ability to achieve objectives.

Building a Comprehensive List of Assets for Your Organization

Having explored the necessity of broadening our asset inventory and the frameworks that can guide this process, it's now useful to discuss the practical steps involved in creating a comprehensive asset inventory tailored to your organization's needs.

• Initial Gathering: Begin by listing traditional IT assets like hardware, software, networks, and data. Engage with different departments to ensure all physical and digital assets are accounted for.

• Incorporate Intangible Assets: Expand the list to include intangible assets. This can include customer data, intellectual property, brand value, employee expertise, and even organizational culture.

• Identify Operational Assets: Look beyond the immediate IT landscape to operational systems and resources. This may involve partner relationships, supply chains, manufacturing processes, and service delivery mechanisms.

Engage with various departments to gain a holistic view. For instance, the HR department might provide insights into critical personnel, while the marketing department can shed light on brand value and customer relationships. Use interviews or workshops with cross-functional teams to identify assets and their characteristics from different organizational perspectives.

Categorize and value assets to facilitate and prioritize risk analysis and assessment. Develop categories that make sense for your organization. This could be based on asset type (physical, digital, intangible), function (operational, strategic), criticality (business critical, mission critical), or sensitivity (public, confidential).

The asset inventory is not a one-time task. It should be reviewed and updated regularly to reflect new acquisitions, disposals, or changes in the operational environment. Implement a process for ongoing monitoring and review, ensuring the asset inventory remains current and relevant.

Practical Challenges and Considerations

Expanding an organization's asset inventory for cyber risk assessment is a proactive step towards enhanced security. However, this process is not without its challenges and considerations. Understanding and navigating these hurdles is crucial for the successful implementation of a comprehensive asset inventory.

Assigning a monetary value to intangible assets like intellectual property, brand reputation, or employee expertise can be complex and subjective. It requires a nuanced approach that considers various indirect factors influencing their value. Consider using expertise from various departments and, if necessary, external consultants, particularly for valuing and managing intangible assets. Start with the most critical assets and gradually extend to cover other areas.

Collecting comprehensive data on a wide range of assets, especially in large or complex organizations, can be a daunting task. Ensuring the accuracy and completeness of this data is critical for effective risk assessment. Consider employing asset management software and tools to streamline data collection, categorization, and maintenance of the asset inventory.

Incorporating an expanded asset inventory into existing risk management and cybersecurity frameworks can be challenging. It requires careful planning and alignment with current processes and policies. Be sure to educate employees across the organization about the importance of a comprehensive asset inventory. This fosters a culture of security awareness and ensures accurate reporting and maintenance of asset information.

Expanding asset inventories can be resource-intensive, requiring additional time, personnel, and potentially technology. Organizations must balance the depth and breadth of their asset inventory with available resources. Adopt a dynamic approach to the asset inventory, with regular reviews and adjustments to account for changes in the organization’s structure, technology landscape, and business environment.

Conclusion

As we navigate through the increasingly complex and dynamic cyber threat landscape, the importance of a comprehensive and forward-thinking approach to cyber risk assessment remains paramount. The expansion of asset inventories beyond traditional balance sheets — to include a broader spectrum of organizational resources — is necessary in the effective assessment of cyber risk.

The expansion of asset inventories to include a comprehensive view of all resources valuable to an organization is not just about achieving a more thorough risk assessment; ultimately it's about aligning cyber risk management with the organization's overarching objectives and values. In doing so, we establish a foundation to protect our resources from cyber threats and fortify the very essence of what makes our organizations unique and valuable.