Herewith the second installment of Doug Caddell’s essay on cyber-security.
We closed part one of this article by stating that improving your cyber security posture was about managing risk, and that risk will be dependent upon your firm and how you measure the various risks to your business. We also said that we can’t protect every aspect of our systems, so we must prioritize our security dollars based upon our organization’s objectives and risk vectors. We do this by conducting a Risk Analysis, the first step in most prevention, detection and remediation processes, and certification programs such as ISO 27001 certification.
What is your cyber security risk?
I’m not going to bore you with definitions and methods for performing a risk analysis, other than to say that information security risk may be expressed as a combination of probability and consequences. What is the probability that a security event will happen, and what happens to the business (and your clients) if it does? Information security assessments also identify vulnerabilities. And subsequently threats that could exploit a vulnerability causing harm.
The next step is to determine the impact on your business and the cost to mitigate the threat verses the firm’s ability to tolerate that particular risk. Often we can accept a certain level of risk or transfer it to others, such as by obtaining insurance. Regardless, knowing the risks that you face and understanding if you should mitigate a vulnerability, defend against a threat, or accept a level of risk, is a key management decision where your participation is required.
There’s a lot of talk about ISO 27001 certification.
The ISO 27001 certification was first published by the British Standards Institution as BS7799 in 1995. So, should I care, and does our firm need this certification? Yes you should care, and maybe you should be certified, and maybe not.
If you are a large firm with clients in regulated industries you should seriously look at ISO 27001 certification which focuses on the implementation and continuous operation of a Information Security Management “System.” The ISMS is the concept and foundation of how you – management – address and manage your organization’s cyber security posture.
When some people look at the outputs from a ISO 27001 certification project they only see the paper policies and procedures. But the real result is the processes supporting organizational changes that create the foundation of a culture of security. These organizational and cultural changes are most critical to improving your security posture, and the most critical aspect is that it is management driven. Management support is nice, but to be truly effective, top managers – you – must be outspoken proponents of a culture of security, and the associated fiduciary and ethical responsibility.
If I don’t have regulated clients should I care about certification?