In today’s digital age organizations heavily rely on technological advances to collaborate with vendors and partners, communicate with shareholders, deliver goods and services to their clients, and procure raw materials and services from supply chains across the globe. Digitization has proven beneficial for business growth by enabling them to deliver goods and services to their clients beyond their local and national borders. However, these technological advances have also exposed the organizations to the cybercriminals and increased the risk to business operations.
Imagine a company whose systems have been compromised, and critical customer information and intellectual property stolen.
Businesses, regardless of the size or industry, cannot afford to see their name in the headlines due to a breach. For some, it may be the end of their business venture, and for others, it can have a significant financial impact and loss of customer confidence.
Now imagine that is your company. How will this impact your business bottom line, and will it erode your customer confidence?
That is the question businesses owners, executives and information security professionals find themselves asking all the time: What if we have a data breach?
It is a nightmare that keeps business owners up at night and drives investment in cyber defenses. Unfortunately, no silver bullet can thoroughly address this question. However, awareness of cyber threats and understanding of their impact can help a business to develop and implement controls that increase security and resilience against these threats. Businesses should also recognize that being prepared does not necessarily guarantee 100% security. Cyber threats are real, time and time again data breaches involving small, medium and large organizations both in the public as well as the private sector have validated these threats and the potential of their impact. Businesses that think they have implemented the controls and therefore are safe can potentially fall easy victim due to the false sense of security. Being prepared helps the organization with timely detection of such attack and activate the incident response program to reduce the impact on business and customers.
Laws and industry regulations may mandate organizations to develop programs that ensure data security, but at the end of the day it is your business, it is your data, and it is your responsibility to protect it.
“The Global State of Information Security® Survey 2016”, conducted by PWC, noted the threat of cybersecurity continues to mount. Understanding and managing cybersecurity risks are becoming a priority for leadership across the private and public sector. Businesses are responding by adopting innovative technologies to reduce cyber-risks and improve security.
Protection of your client data is important (and it should be!) for the success of your business. Taking data security and privacy seriously and implementing necessary controls can reduce the overall risk and potential impact.
So where to start?
Rethinking the roles of key executives, including the Board of Directors, developing strategic proactive cybersecurity capabilities, embracing a more collaborative approach and willingness to invest in risk-based cybersecurity programs, can be a good starting point. But what are you trying to achieve?
If your organization wants to achieve compliance with specific data security or privacy laws or industry regulations, then the program focus is compliance. It is critical to know that compliance may not necessarily ensure organizational information security. On the other hand, if your goal is to secure your organization’s information assets, then your first objective should be to start with gaining a holistic view of your organization’s current state of security. Secondly, identify and adopt a framework that aligns with your organizational security and compliance needs. Thirdly, start with defining and establishing security roles, responsibilities and accountabilities.
It is also important to know that the information security program if appropriately done, can ensure both security and compliance.
It is a known fact that organizations invest a significant amount of time and effort in developing business strategies, financial strategies, and marketing strategies to grow the business, increase profitability and succeed against the competitors. However, more than often, the same organizations fail to develop a strategy to protect against the most significant threat facing their business, “Cyber Threat” which has the potential to make all their business, financial and marketing plans fail and close the business.
Organizations should take the time to invest in developing strategic cybersecurity programs with a foundation based on risks, just like they invest in other business strategies. Additionally, adopting a security framework that aligns with the organization’s security needs provides a measuring yardstick and ability to grow and mature the program as the business grows.
The two most frequently implemented guidelines are ISO 27002 and the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, according to the “The Global State of Information Security® Survey 2016” conducted by PWC.
As mentioned before, an effective security program starts with an accurate understanding of the current state of the organization’s information security program. This article focuses on how to develop a comprehensive information security program that can also help ensure compliance.
Understanding the Risk
The starting point of an information security program should be to understand the risk, categorize it and implement controls to reduce it to acceptable levels.
Information Security is a continuous process of discovering, evaluating, correcting and monitoring security controls. The goal of this process is to ensure that the people, processes, and technologies across the organization are aligned seamlessly and working in harmony to ensure confidentiality, integrity, and availability of information assets.
For any organization to develop a security program and associated controls, understanding the risk is very critical to ensure alignment with organizational security objectives. It also ensures that any security investments made are strategic and provide the highest possible return on investment. Risk management establishes the foundation for managing risk and outline the boundaries for risk-based decision making within the organization.
Risk assessment is a complete life-cycle that uses base criteria to assess, measure, and calculate the risks involved.
Small businesses, with lack of financial and human resources, have become the prime target for cybercriminals, need to take risk assessment seriously.
Choosing a Framework
A risk-based framework enables organizations to identify and prioritize risks, gauge the maturity of their cybersecurity practices and better communicate the risk internally and externally. Technology alone won’t change the state of cybersecurity; the human side of the security equation is equally essential as smart organizations have always known that. Having this understanding can drive companies toward a more collaborative approach towards cybersecurity, sharing threat intelligence and response techniques with externally across industries.
Understanding the risk starts with the adoption of a risk management framework. The adoption of a security framework is a strategic decision influenced by the organization’s security needs, business objectives, and regulatory requirements. It helps guide the organization in developing strategies that provide the highest return on investment while ensuring risk reduction.
Several frameworks are designed to help organizations achieve their information security and compliance objectives. Although voluntary, these frameworks are intended as a guide for security practitioners with a goal to provide them with a standard security language for developing comprehensive security, risk management, and operational continuity programs. This common language makes use of familiar topics in information security, and clearly-expressed control objectives within those topics. The goal of these frameworks is to provide guidelines for developing security programs while allowing organizations to select and implement individual security controls based on their individual business needs, industry, geographies, and environment. Therefore, providing organizations with the needed flexibility in developing and implementing industry and organization-specific security programs to meets their particular security and compliance needs.
– to be continued