2. What do we need to protect?
"Can't you protect what you don't know exists?" I don't know who wrote it but I fully agree with it.

There Information Security, the name declares, is intended to protect information and this task requires detailed knowledge of several aspects:

Which is the information present, where is it are kept, how And where is it are treated, which their usefulness, importance and criticality, who has access to it, how And Why.

In the world of unicorns, every company has a detailed inventory of information, treatments, tools used (computers, servers, cloud services, networks, devices, etc.), but in the real world this is rarely the case.

It is the responsibility of the Fractional CISO make sure this? inventory? is created and above all kept up to date.

In practice, it is a question of making? Lists? and? maps? which describe the different aspects involved: information, processes, technology, people.

To this end, the active participation of the Company's "Experts", both internal and external (collaborators and partners), is essential.

Only with this information the Fractional CISO and the Company have the general and detailed framework necessary to correctly set up the Security Program.


An effective and very useful method for conducting interviews and gathering information comprehensively is the? Kipling method? 5Why1How?