With no natural defenses and fewer troops than his enemies, Frederick the Great admonished his generals, “Little minds try to defend everything at once, but sensible people look at the main point only; they parry the worst blows and stand a little hurt if thereby they avoid a greater one. If you try to hold everything, you hold nothing.”

What holds true for Prussian commanders applies no less to business and technology leaders scrambling to protect their companies from cyber-attack. Just as generals must husband scarce divisions for their country’s most pressing threats, CISOs must focus their resources on their company’s most critical business risks.

Before anything else, achieving digital resilience requires companies to pull two levers successfully. They must prioritize information assets based on business risks and provide differentiated protection for the most important assets.

Too many companies fail to do this. They have limited insight into which information assets are most important and cannot put more stringent protections in place to defend those critical assets. The result: the company gets too little protection for too much money.

The businesses, the risk function, IT, and the cybersecurity group all need a common language and set of mechanisms to assess risks, evaluate potential protections, and make trade-offs.

In prioritizing information assets, cybersecurity teams must balance rigor with practicality and ensure that ...