Herewith the second installment of Doug Caddell’s essay on cyber-security.


We closed part one of this article by stating that improving your cyber security posture was about managing risk, and that risk will be dependent upon your firm and how you measure the various risks to your business.  We also said that we can’t protect every aspect of our systems, so we must prioritize our security dollars based upon our organization’s objectives and risk vectors.  We do this by conducting a Risk Analysis, the first step in most prevention, detection and remediation processes, and certification programs such as ISO 27001 certification.

What is your cyber security risk?

I’m not going to bore you with definitions and methods for performing a risk analysis, other than to say that information security risk may be expressed as a combination of probability and consequences.  What is the probability that a security event will happen, and what happens to the business (and your clients) if it does?  Information security assessments also identify vulnerabilities. And subsequently threats that could exploit a vulnerability causing harm.

The next step is to determine the impact on your business and the cost to mitigate the threat verses the firm’s ability to tolerate that particular risk.  Often we can accept a certain level of risk or transfer it to others, such as by obtaining insurance.  Regardless, knowing the risks that you face and understanding if you should mitigate a vulnerability, defend against a threat, or accept a level of risk, is a key management decision where your participation is required.

There’s a lot of talk about ISO 27001 certification.

The ISO 27001 certification was first published by the British Standards Institution as BS7799 in 1995.  So, should I care, and does our firm need this certification?  Yes you should care, and maybe you should be certified, and maybe not.

If you are a large firm with clients in regulated industries you should seriously look at ISO 27001 certification which focuses on the implementation and continuous operation of a Information Security Management “System.”  The ISMS is the concept and foundation of how you – management – address and manage your organization’s cyber security posture.

When some people look at the outputs from a ISO 27001 certification project they only see the paper policies and procedures.  But the real result is the processes supporting organizational changes that create the foundation of a culture of security.  These organizational and cultural changes are most critical to improving your security posture, and the most critical aspect is that it is management driven.  Management support is nice, but to be truly effective, top managers – you – must be outspoken proponents of a culture of security,  and the associated fiduciary and ethical responsibility.

If I don’t have regulated clients should I care about certification?

Related Articles

Email Delivery

Get Our Latest Articles Delivered to your inbox +
X

Sign-up for email

Be the first to learn of Adam Smith, Esq. invitation-only events, surveys, and reports.





Get Our Latest Articles Delivered to Your Inbox

Like having coffee with Adam Smith, Esq. in the morning (coffee not included).

Oops, we need this information
Oops, we need this information
Oops, we need this information

Thanks and a hearty virtual handshake from the team at Adam Smith, Esq.; we’re glad you opted to hear from us.

What you can expect from us:

  • an email whenever we publish a new article;
  • respect and affection for our loyal readers. This means we’ll exercise the strictest discretion with your contact info; we will never release it outside our firm under any circumstances, not for love and not for money. And we ourselves will email you about a new article and only about a new article.

Welcome onboard! If you like what you read, tell your friends, and if you don’t, tell us.

PS: You know where to find us so we invite you to make this a two-way conversation; if you have an idea or suggestion for something you’d like us to discuss, drop it in our inbox. No promises that we’ll write about it, but we will faithfully promise to read your thoughts carefully.