It’s a truism of modern risk management that organizations concerned about cyber attacks need to “identify their critical data and assets.”

The logic behind this is irrefutable. Information investments – from defense and detection to incident response – need to focus on the information and IT assets that are most important to the survival of your business.

That’s a simple enough concept to grasp. But it hasn’t always been true in practice.

For much of the last 20 years, security software firms have sold customers on ‘layered defenses’ – combinations of network perimeter defenses like firewalls and security gateways, as well as network and host detection tools like IDS and endpoint anti malware. The strategy was always, nominally, to protect critical data and assets. But those tactics (deploying security tool x, y, and z) were often only loosely joined to the grand strategy of protecting critical information.

“Layered defense” was great in concept. But, too often, the layers didn’t join with one another easily, or make it easy for customers to correlate activity at one layer (say a web browser crash on an endpoint) with subsequent, related activity like internal network scans, outbound communications or unusual patterns of user activity. The result: malicious actors, having penetrated one or more of those defensive ‘layers,’ are often free to move unheeded and unhindered within corporate networks, gaining access to critical IT assets and the data they contain.

The chorus of those criticizing this conventional approach is growing louder. Just this week I attended a conference here in Boston hosted by the Advanced Cyber Security Center (ACSC). The event, titled “Left of Boom” was focused on the concept of cyber preparedness: taking steps and introducing new technologies and processes that – while they might not prevent online attacks, will make organizations more resilient when they are attacked.

Speaking at the event, former Department of Homeland Security chief Michael Chertoff – lately of The Chertoff Group, a beltway consulting firm – told the audience that IT security strategies that focus on prevention of cyber incidents are “doomed to failure.”

Likening existing networks to M&M candies, Chertoff said that companies that offer a ‘hard shell’ approach to cyber defense will have “lots of people eating the chewy center” of their networks. (Author’s note: Michael Chertoff is not the first person to use this analogy!)

Rather, Chertoff said companies should consider what, in their enterprise is “of the most strategic value? What can’t you live without?” Security controls shouldn’t just be layered. Instead, an organization’s entire security architecture should be oriented and prioritized to protect the key assets and data, Chertoff said.

What does this mean practically, though? And how can large and complex organizations manage the task of identifying critical data and assets so that they can prioritize investments in protecting them?

That’s a much bigger and tougher question to answer. I’m happy to say that a panel that I chaired at the ACSC delved into that complicated question – at least a bit.

The panel, titled “Is your organization doing all it can Left of Boom?” brought together some of the best security minds around: Andy Ellis, the Chief Security Officer of Akamai Technologies, Udi Mokady the President & CEO of CyberArk Software, Chris Perretta, the Executive Vice President and Chief Information Officer at State Street Corporation and Katie Moussouris, the Chief Policy Officer of HackerOne.

Their perspectives were varied and – of course – every IT environment is unique. But some of the more salient advice works across contexts.

Without exception, my guests advised companies to tackle organizational and cultural barriers alongside the technical obstacles. These often slip under the radar – or are too painful to address. But they can be debilitating –as some of the recent reporting on the circumstances surrounding Home Depot’s breach indicate.

My panelists said companies that want to get serious about protecting critical assets need to end the habit of compartmentalizing IT staff (IT and OT, or network, desktop and security) and work to build and promote integrated teams with diverse skill sets and a common turf.

Beyond that, my panel recommended that organizations develop ways to think creatively about the ways in which outsiders may gain access to their network and the kinds of data they may be interested in. Among the questions to ask: "How do third party software packages expose your network and IT assets to attack?" and "Do third party business partners or contractors have remote access to systems within your network?" If so: "How closely are you monitoring that access and the devices they are using to connect?"

Critically: all of the experts I spoke to made clear that leadership on security needs to come from the top down – meaning the C-suite. Executives need to both internalize the need for robust cyber security and communicate that to those under them.

Of course, none of these measures will stop a determined attacker. But planning ‘left of boom’ isn’t about stopping attacks so much as making your organization prepared to deal with adverse events when they happen and to limit the damage they cause.

About Paul Roberts

Paul Roberts is the founder and editor in chief of The Security Ledger. Paul has spent the last decade covering hacking, cyber threats and information technology security, including senior positions as a writer, editor and industry analyst. Most recently, he served as editor of Threatpost.com and a Security Evangelist for Threatpost’€™s corporate parent, Kaspersky Lab. Prior to that, Paul spent three years covering the enterprise IT security space as a Senior Analyst in The 451 Group’€™s Enterprise Security Practice, where he covered trends and technology developments in the security market, with a concentration in endpoint security.