Back in 2015, Mike Burgess introduced his mental model called “The Five Knows”, a framework built to challenge the dangerous assumptions organizations make about their cyber defenses.
The core message: If you do not know who can access your data, where it lives, or who is protecting it, then you cannot claim to be protecting it at all.
Here is the breakdown:
-
Know the value of your data. Even if you do not think it is valuable, your competitors or cybercriminals might.
-
Know who can access it because compromised credentials are still the number one way breaches happen.
-
Know where it is stored. Cloud sprawl and shadow IT mean data lives in more places than you think.
-
Know who is protecting it. Third-party risk remains a serious gap.
-
Know how well your data is protected. If you have not nailed the first four, your risk assessments and controls may be based on false confidence.
Ten years later, this framework is mostly forgotten. Even Burgess might not use it today. But the principle behind it - that cybersecurity demands we challenge our assumptions - is more relevant than ever.
Reduce your assumptions. Test and validate.