While Sun Tzu implores us in The Art of War to, “Know your enemy, know yourself” to win 100 battles, in information risk management for small and medium-sized businesses, we need to invert that priority to “Know yourself and then know your enemy.”
Actually, for those of us in resource-constrained organizations trying to protect ourselves and manage our information risk, we need to add a middle piece to that phrase, “Know your environment.” Knowing ourselves, though, is the fundamental foundation. So it looks something like this:
The trick, though, is that it’s not so easy to know ourselves. A major challenge for small and medium-sized businesses in this time of BYOD and indeterminate interconnectivity, is that trying to know ourselves is tough all by itself. With unknown devices in unknown configurations with unknown operating parameters entering the business everyday, it’s hard to even know ourselves. Just getting a device inventory is difficult. And that’s really just counting. So if counting is hard, we know we’ve got a challenge.
Knowing ourselves does not enable us to predict or control the future, but it does allow us to make better decisions when unpredictable things happen
As we work towards mastery of knowing ourselves, we then begin to endeavor to better understand the environment in which we work. How rough is the online neighborhood in which we’re doing business? (pretty rough). Who are we connected to? Who’s connected to us? Who might be trying to connect to us?
The “Know your enemy” part is important, and intriguing, and sexy, but we can’t get there without better knowing ourselves and the environment in which we work and defend ourselves
Do you know your company’s business objectives, its assets, its capabilities, its vulnerabilities? What techniques do you use to know yourself, your business? Do you use a risk register to do this? Informal focus groups? Something else?