Published on Friday, August 9, 2019 - 12:01 by Richard Jones
“No one ever got fired for buying IBM” was the proverb of its day. It stood for a safe decision, one that would stand up to boardroom scrutiny, even if you’d paid a bit more and got a little less than going with one of their competitors.
Of course, it has subsequently been applied to various other vendors or service providers that represent a similar level of assurance; a metaphor for safety in numbers, a sound decision that represents a sort of procurement “best practice”.
The reality is that cybersecurity is now a boardroom issue.
The implementation of an Information Security Management System, such as ISO27001, is just the sort of best practice that could help board members retain their jobs – even if their organisations get hit by a high-profile cyber incident. It goes far beyond investing in the assurances of a technology vendor, and intends to bring information security under management control with specific requirements.
The need to evidence that an organisation takes cybersecurity seriously will only become even more prominent. With the recent intentions to fine issued by the ICO acting as ‘warning shots across the bow’ to boardrooms all over the world, this clearly illustrates that data breaches which could have been avoided will attract a significant penalty.
It’s worth noting that the fine meted out to British Airways equates to nearly the same amount as a brand new Boeing 787 - significantly more than the ‘loose change’ a pre-GDPR incident would have attracted!
Indeed, the size of fines will always be influenced by ‘aggravating’ factors; a euphemism for things that could and should have been avoided - often via compliance and good governance. I would wager that audited compliance to an internationally recognised ISMS will be looked upon more favourably than a multi-million pound investment in a shiny new threat monitoring system.
What’s more, the former will almost certainly provide boards with a greater degree of assurance ahead of an abstract technology investment, the purpose of which will almost certainly have been lost on all but the CISO.
An ISMS should drive technology investment, not the other way around.
Anyone who visited InfoSec Europe back in June could be forgiven for thinking it’s still all about technology; over 200 vendors promoting a vast array of increasingly elaborate threat detection, endpoint protection and vulnerability management solutions that were all vying for your cybersecurity bucks!
These are all great if they are being deployed to best effect, managed by a skilled team and maintained in line with the ever-evolving threat landscape. However, it’s a tad ironic that the business case for such investments will often come via the use of an ISMS, which will have helped to define the risks and focus the right controls in the right places.
And whilst the value of technology should never be underestimated, we continue to be reminded that unpatched vulnerabilities, lax password policies and under-educated employees are at the heart of most security breaches. Ironic then that an ISMS is exactly what needs to be in place to deal with these rather mundane issues, which despite significant technology investment, many organisations continue to wrestle with.
With cybersecurity having often been retrofitted around legacy systems and still often considered as an after-thought where contemporary applications are concerned, an ISMS serves to embed it into the fabric of an organisation, ensuring through a process of continual improvement that it remains fit for purpose and auditable. Plus, it’ll almost certainly help extract more value from existing security investments.
Getting an ISMS off the ground does require board-level commitment, which will in turn provide far more tangible evidence that your board is invested in the cyber wellbeing of a company as opposed to signing off on a new piece of technology. All too often it’s a case of “all the gear, but no idea”, as a CEO tries to explain away the “sophisticated nature” of a phishing attack that has circumvented an expensive array of threat detection tools.
With most businesses required to comply with other mandated standards, such as health and safety, why not the same for cybersecurity? After all, more and more businesses are powered by personal data. And whilst there is an investment in time and support upfront, just like a dog, it’s there for more than just Christmas.
In conclusion, an ISMS is a bit like carbon fibre.
Layers of what is, to all intents and purposes, a flimsy fabric. However, when bonded together with more layers it becomes almost unbreakable.
It allows an organisation to focus its investment in the right places, or as someone once said to me - placing the ‘emPHAsis on the right syLLAble.’ Finally, it also ensures that cybersecurity is embedded into the way a business is managed. And it would be very hard to get fired for that!