Businesses are facing unprecedented levels of risk associated with threats to the confidentiality, integrity and availability of their information assets. Barely a day goes by without hearing a report of a new data breach, cyber-attack or phishing campaign. The threat landscape has clearly evolved, with new threats emerging all the time that threaten the security of organisations around the world.
There’s little doubt that cybercrime will continue to dominate the headlines for years to come. As cybercriminals become more sophisticated and devious in their attack methods, organisations will need to ensure they have robust systems in place to defend against these evolving threats.
The threat landscape is further complicated for organisations as they adopt more and more cloud based solutions in their supply chains. While this might enable them to create more compelling product offerings, enhance customer experiences, enable greater business agility and minimise operational costs, many are ill-prepared to protect their information assets as they go on this journey.
While organisations have little influence over the information security risks they face in conducting their business activities and even less influence over cyber criminality they do have complete control over the processes they employ to protect their information assets. However, there are many well publicised examples of organisations who have experienced data breaches where the root cause was cited as “failure to take reasonable care in the steps required to secure their information assets”. The application of more rigorous and consistent processes and controls would have prevented a large percentage of these occurrences.
Given this backdrop it is hardly surprising that most business leaders struggle to accurately articulate their organisation’s Information Security Posture – i.e. how well they really protect their assets and how well they would react to a security incident. Even organisations with large IT security departments fail to effectively manage their security risks well because the information provided to senior managers and the Board is not meaningful (typically too little or too much) and does not provide a basis for action.
This can have major consequences for many businesses because at the board level they do not have the wherewithal to understand clearly where they are failing and what investments are required on an ongoing basis to protect the organisation’s information assets.
While the adoption of frameworks like ISO 27001 and Cyber Essentials are a great step forward in helping organisations to adopt more effective processes they do not mandate the low level working practices that are required across all disciplines to enforce the structure, consistency, and rigour, which are critical to the enforcement of security.
A systematic approach to translate policies into low level disciplines, activities and controls that can be monitored and remediated on an ongoing basis, against business objectives, to mitigate risk, is critical so organisations can maintain and continuously improve their Information Security Posture. Furthermore, the ongoing exercise of reviewing and maintaining the policies themselves should also form a part of this process to ensure the integrity of the approach is maintained on an ongoing basis, given that information security is a moving target.
Only by applying this level of rigour, consistency, structure and measurement can organisations take proactive steps to protect their information assets in an ever changing world.