Why in the world should managers be interested in information security?

You should be involved in security since security means something to your customers and because cyber attacks and security incidents are beginning to occur within all kinds of businesses. We have all seen the numerous examples of data breaches, attacks and other security incidents in the news. Often, one might expect or hope the involved organisations were better protected then they actually were. Information security is very much on the agenda, both in the business world and in the media.

Your customers, regardless of whether you sell directly to customers or to other businesses, are presently interested in the topic. That is why you as a manager and a senior executive should take an interest in whether your organisation is sufficiently prepared for a major cyber attack or a systems crash. That should be as good an argument as any! However, there are even more good reasons that I would like to share with you.

Brand image and profitability: Perhaps you have spent years slowly but surely building credibility for your brand name(s). You want your customer to have confidence in you. One security incident can quickly serve to reduce the trust and confidence you have gained to such a degree that even the best (or most expensive) image campaign will not be able to bring it back.

Fees: Add to this the enormous costs to you when you need to deal with a major security breach. Such costs are incurred both due to the incident itself and the following investigation, cleanup and restoration. Theft of company secrets and/or intellectual property rights, as well as industrial espionage can obviously be expensive and even a threat to the very existence of some companies. Afterward, it will surely be shown that more investment in preventive security measures would have made good sense and would have saved money. Moreover, since the threat will continue to develop, it would be a good investment for the future as well.

Legal Statutes: You are subject to certain legal requirements demanding that you have a sufficient level of information security. Bear in mind present and future Personal Data Acts. The future EU personal data legislation (an ordinance) is expected to passed so that it will apply in all EU Member States. It provides for companies to pay fines of perhaps as much as 5% of their turnover for computer security breaches. There is a comprehensive requirement that the parties be notified (data breach notification), which is both expensive and difficult to perform. Add to this a number of industry-specific requirements: for example, that financial enterprises must comply with financial supervisory authorities' requirements concerning information security, requirements placed on the energy sector, the health sector and for state-run enterprises to comply with the ISO 27001 standard.

Governance Requirements: Corporate governance requirements determine 1) that management set out the procedures necessary for risk management and internal inspections, 2) that the administration take a position on strategic and commercial risks and 3) that managers who negligently has caused the company to suffer damages shall pay compensation for such damages. In other words, there is also an array of legislative reasons to be interested in information security.

Review: You likely also strive for your review to be consistent with most of everything that might be found in those long review guidelines. Your information security will also be reviewed. Keep in mind as well, that regardless of the fact that accounting firms play a dubious double role (at the same time offering a wide range of both executive and advisory consultancy services within the field of information security), it pays for you to prepare for the review proactively. It should be easy for you to document that you are in control of your information security.

However, what should you as an executive do, in addition to taking an interest in the topic? Easy: You should A) communicate to your organisation that security is important, that it is a basic condition for your business activities and b) you should investigate whether you have allocated sufficient financial and human capital in your organisation to deal with the everyday, practical management of your information security.

If you want to get a little bit deeper into the subject, I recommend you examine your maturity level in these areas:

1. Policies, rules, procedures and documentation
2. Risk management (risk assessment and continual risk treatment)
3. Incident management and contingency plans

Proper governance and management of information security has become a common best practice simply because it has become a necessary condition for most commercial activities. That is why a manager should be interested in information security.


PS I have summarized the six reasons for you in this document here

Best regards

Lars Neupart

Blogger: Lars Neupart is the founder and CEO of Neupart

PS: Click here to follow us on LinkedIn

How does the ISO 27001:2013 affect your risk management process?

ISO / IEC 27001 was introduced in 2005 and has become a very popular international standard. Now ISO 27001 is being revised and a new version is due later in 2013. I’ve looked at the changes before and outlined the main differences between the old and the new version.

  

One central topic of the new ISO 27001 is the risk management processes. So our team here at Neupart has prepared a white paper to let you know how ISO 27001:2013 will impact your risk management processes.

Here’s a little teaser: One of the changes in the new ISO 27001 is that it only requires that you identify risks in relation to confidentiality, integrity and availability. This gives you greater flexibility in your choice of risk method.

You don’t have to provide an email address or any other information to get the PDF. If you have a moment, all I ask is that you let me know what you think about the changes in ISO / IEC 27001 or the whitepaper in the comments below.

Grab your copy of “How the ISO 27001 revision affects your risk management process” here.

Or view a webcast on the same topic here.

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.

PS: Click here to follow us on LinkedIn.

Six questions about the ISO 27001 revision (with answers)

How does the ISO 27001 revision impact your risk management?

I recently held a presentation on this very topic in an attempt to address some of the questions and if you haven't already I strongly recommend you go watch it! You can watch it here.

I have since received a lot of feedback and more questions. Since many of these are relatively basic questions I thought it would be a good idea to share them and the answers here.

If you are looking for the presentation slides you can find them here.

Now on to the questions:

1. What else is new in ISO 27001, is it only about risk?

No, there are plenty of other changes. For example, management will have an increased responsibility in the IT Risk Management. There will also be an increased flexibility in your choice of risk method.

The revision is still only a draft so changes can still occur.

You can see a few of the possible changes here:

Three ways the ISO 27001 revision will affect your company

2. Will it take a great amount of effort to shift to the new ISO 27001?

No, quite the contrary. ISO 27001 is not filled with technical demands to your security, internal audit or other. The 2013 draft has the same main content as the 2005 version; The purpose and many activities are the same.

The main difference is that the way it is presented has been altered creating sharper formulations and some areas are given more flexibility.

A transition would therefore not require lots of extra effort on your part.

Further, you have absolutely nothing to fear if your company is already ISO 27001 certified.

3. Are there any consequences for the management (risk owner) if you do not live up to the compliance?

There will only be consequences for the risk owner if your company has decided such should exist. It can, however, have consequences for your ISO 27001 certification and may result in a reprimand when an audit visits.

4. Is there a good mapping between NIST SP 800-53 controls and ISO 27001?

Yes, the National Institute of Standards and Technology has even released a paper regarding the issue. You can find it here.

5. When will SecureAware reflect the new ISO 27001 standard?

Shortly after the new ISO 27001 changes are finalised and made public.

6. Is there already a paper about risk management in the new ISO 27001?

There are currently, to my knowledge, no specific papers available on this topic. 

However, Neupart will publish a paper, on the topic. Once it is finished it will be available on our website and everyone on our mailing list will be informed.

If you have any questions not listed here then feel free to contact me and I'll do my best to answer them.

You might also be interested in some of Neupart's other webinars. We offer you a learning experience with hands-on approaches. Check them out here: http://www.neupart.com/events

About the Author: Lars Neupart is founder of Neupart A/S and wants you to know that SecureAware = efficient information security. Get more of him on Twitter.