Cyber Security isn’t as complicated as you’d think
We all have standards, don’t we? We conduct ourselves in a way that we hope others will follow.
In the world of business there are standards for a whole array of things, from health and safety standards through to environmental standard, and from quality assurance through to cyber security. We expect organisations to adhere to these standards. When they fall short, they should be held accountable.
The problem is that many organisations don’t follow standards, and those that do often fall short of doing anything but the minimum. It’s like when you ask your children to tidy their room, yelling ‘I want everything cleared off your bedroom floor! I’m tired of tripping over things!’ Ten minutes later you show up, and sure the bedroom floor is clear because they’ve put everything on the bed and crammed it in cupboards! But they followed what you asked?! They met your requirements. Didn’t they?
Having standards and expecting others to adhere to them is critically important in a world where we are expected to trust organisations with our data, and the data of our loved ones. If your organisation is thinking of achieving a certification against a standard then you should consider carefully why you are looking to achieve it, and what the benefits are for you and your customers.
If you are serious about implementing a standard, here are some tips you might want to follow before embarking on the journey.
You need to have a firm grip on why you are doing this. It will require time, resources and energy. Good standards require constant maintenance and upkeep. Don’t treat this as a project that has an end-date: continual improvement will be required.
Which standard are you going for? ISO27001? PCI DSS? Cyber Essentials? NIST? SOC? There are a lot of (cyber security) standards out there, and a host of others that are non-cyber related. Knowing why you want to go with a certain standard will help you establish which to go for.
Who is responsible for the delivery of this standard and what skills do they have? Are they internal or external? Are they familiar with your industry? Does it matter? What level of resource and knowledge are you looking for?
Also understand that leadership in the vast majority (if not all) standards is key. If you’re not bought into this at the highest level then may I respectfully suggest you don’t bother. You’re wasting your time and everyone else’s. It’s just frustrating for all involved.
Whilst it’s not a project, you should clearly understand the approach you’re going to take, with key deliverables and measurable outcomes. The approach should be pragmatic, with a clear vision of what you’re trying to achieve and why.
What are you trying to protect? What data? What are the gaps in your understanding? How will you close those gaps? Conducting a health check (aka gap analysis) will help you understand this and will highlight the areas of key focus.
I believe having standards is vitally important, both personally and professionally. In my personal life I can only demonstrate these through my behaviour and conduct. I’m not externally assessed (unless you class my wife as the assessor!) In business we can easily demonstrate that we have standards and we adhere to them. Being externally assessed or having someone external to the organisation validate what you do, using a standard as a ‘lens’ through which you can be audited sends a very powerful message to your clients: You can be trusted.
Having standards isn’t necessarily hard. It just takes commitment and is a sign you’re someone that can be trusted.