Cyber security is a phrase being debated in many board meetings at the moment, with some considering the broader category of information security.
Unfortunately, the sheer breadth of solutions, industry acronyms and “best in the world” vendors make tackling the cyber security risk a daunting task.
If cyber security is the buzzword, everybody’s next least favourite term is compliance.
The completely justified worry about the threat to everyone (organisations and people) by cyber criminals is driving more suppliers, insurance brokers and tenders to quote “compliance with X standard” as a prerequisite.
While we’re seeing this across the board, it is particularly prevalent in organisations that are in public sector supply chains where compliance with ISO 27001 and/or Cyber Essentials is a requirement.
20 seconds to comply
So why are standards so difficult to implement? At the risk of making sweeping generalizations, it’s because many organisations treat them as a target (getting a certificate on the wall) rather than a tool to help improve security. They rush to get standards done against a timeframe rather than against a set of outcomes (e.g. “we must have 27001 by x date” rather than “let’s get accredited at x milestone”).
Information security standards provide a clear set of activities and routes to improving your information security and when followed, significantly reduce the risk to your company.
Security standards help kick start the risk reduction process (often called risk treatment) by providing either prescriptive controls that must be applied (as is the case of Cyber Essentials) or a broader set of good controls (as provided by Annex A of ISO 27001).
It’s just risk…
Mature companies are generally pretty good at managing traditional threats that pose a risk to their business such as fire, theft, legal action, etcetera. Information security should be approached in the same way, though due to its complexity just requires a more granular approach and many – though not all – of the mitigations will be technical in nature.
As with any risk, security risks have varying levels of impact but as demonstrated in recent high-profile attacks, cyber attacks are particularly devasting due to the financial penalties (in the form of fines), financial costs, operational downtime, customer confidence and significant reputational damage.