Enhancing your cybersecurity with a crown jewels analysis

| By:
Jason McNew

“Crown jewels” is an age-old term, and its use summons storybook tales of the highest room in the tallest tower. When we put these particular words into a search engine, the first results are the Tower of London and the Crown Jewels of the United Kingdom. The tech sector (us!!) loves to borrow terms, so you may have heard “crown jewels” in a cybersecurity discussion. But what are crown jewels in cybersecurity?

The crown jewels analysis (CJA) for cybersecurity

Cybersecurity is, at its core, a risky business. We’re in the business of managing risk—specifically, the risks that are introduced into an organization via the handling of information and the operation of information technology systems. One of the main pillars of any risk management endeavor is the classification of assets by value—where “asset” is defined as anything which has value to the company.

But all assets are not created equal. Once we understand that, we can discuss exactly how much value these assets have and which assets are of the highest value—which are “the crown jewels.” When it comes to crown jewels security, practitioners need to know first what information is specifically of the highest value to the company. Which information systems or automations, if they fail, would have the highest negative impact on the company’s bottom line?  Which would expose personal identification numbers or data? These assets are the crown jewels—they go in the highest room of the tallest tower.

Identifying your crown jewels

Let’s compare two types of information:

  1. Marketing collateral on a company’s public-facing website
  2. The source code to a specialized application

Now consider an incident where the confidentiality, integrity, and availability (CIA) of either of these types of information is threatened—in other words, hackers! You are under attack! While this is an extremely simple example, the basic premise of crown jewel cybersecurity is that not all kinds of information have the same value, and therefore we spend more resources (money) protecting information and information systems that are the most important and less money on those which are less important.

A crown jewels data security analysis generally seeks to classify assets into three categories:

  1. Public information
  2. Internal information
  3. Restricted information

To determine the relative value of your assets, as yourself these six questions:

  1. Are you running a financial or legal risk if a data breach happens?
  2. Could competitors use your leaked data to their advantage?
  3. Can stolen data be recreated?
  4. What is the impact of theft on revenue?
  5. What kind of disruption and downtime would a data breach result in?
  6. How badly will your reputation suffer if sensitive data is compromised?

As we demonstrated in the example above, marketing collateral on a company’s public-facing website would fall under “public information,” the lowest level of value, while source code to a specialized application would fall under “restricted information,” which has the highest value and warrants top of the line protection. This is where a formal crown jewels analysis (CJA) comes in.

MITRE explains very succinctly: “Advanced persistent threats (APTs) can maintain a persistent presence in mission networks. We need to be able to ‘fight through’ an APT attack with resilient systems and effective procedures. It is not cost-effective to design every cyber asset to operate through an attack. Instead, we must find the mission-critical cyber assets—the crown jewels—and assure they can operate through.”

Crown jewels are different in every organization and identifying them depends on many unique factors, e.g., size, structure, culture, the activity of the organization, etc. As you begin to identify yours, consider taking it a step further by comparing your crown jewels and prioritizing protections based on criteria that makes the most sense for your business.


The NIST Cybersecurity Framework (CSF) flows down from five functions in a hierarchical fashion: identify, protect, detect, respond, and recover. If we mapped the CJA to the NIST framework, it would fall under identify. Since most of our (monetary) resources will ultimately be utilized to detect and respond, a proper CJA will assist us in knowing where to deploy advanced protective technologies such as SIEM, MDR, EDR, antivirus, and BCDR.

How to conduct a crown jewels analysis (CJA)

There are several established and mature methodologies for performing a very formal CJA if needed. Which method is best for you will depend on the overall structure and complexity of your organization, though many tend to generally follow a similar process to these five steps from infosec partners:

  1. Define: Determine the data protection objectives and develop an organizational data model
  2. Discover: Understand data lifecycle and environment, and identify areas of critical data storage, traffic, access
  3. Baseline: Establish baseline requirements and assess current controls to identify gaps and determine solutions
  4. Secure: Plan and prioritize technical and business process transformations. Design and implement solutions that protect critical data and align business growth objectives
  5. Monitor: Determine metrics and processes for monitoring, response, and communications and continually revalidate and improve program effectiveness

The crown jewels analysis then becomes an integral step first step when conducting a cybersecurity assessment, especially when enterprise environment requirements exist. It serves four purposes:

  1. Identify a business’s mission-critical information assets
  2. Assess the adversarial threats to these assets
  3. Determine the most appropriate method to protect the crown jewels
  4. Implement approaches that will ensure comprehensive and balanced protection

Typically, a CJA is leveraged by larger enterprises and consists of two parts:

  1. Threat assessment and remediation analysis (TARA)
  2. Cyber command system

Introducing a CJA to your SMB clients today would be the equivalent of introducing SIEM 15 years ago, but the concept is relatively simple to grasp and an important one to make sure there’s alignment between you and your clients on what assets are of primary importance. Why wait for everyone else to catch on? Become an early adopter.