Information security management, risk assessment and risk management get a lot of attention in the business circles - so much so that sometimes it seems a tower too high to climb. We have listed seven practical guidelines to take into account regarding information security in any company.
While “all modern companies are IT companies” is an adage on the verge of becoming a cliché, information security is still often seen as a thing in itself, rather than a combination of different critical processes within a company. Most companies see information security as a separate process, often delegated to a specific department of team that provides input and support to other teams, whereas in order to achieve an appropriate level of information security, it needs to be integrated into all processes and seen as a natural part of operations for the entire enterprise. Moreover, information security risks are often seen as something from deep inside the IT-department, not to be dealth with anywhere else - while in fact, infosec risks are business risks like any other, and need to be accounted for as such.
We have all probably seen companies where infosec is the responsibility of one (or a few) “information security specialists”, somewhere within the complex array of organisational hierarchies. While a comfortable arrangement in terms of delegation, information security starts with company culture, leadership and setting an example, and must be prioritised at the highest level of management. While specialists are indispensable in times of crises, it is the leadership example that builds an environment of trust and ensures a high regard for information security by the entire team. Management is responsible for the decision-making process, sets the necessary KPIs and is in charge of the big picture, while the specialist supports with detailed knowledge.
Overregulation and bureaucracy are the greatest enemies of efficiency and sometimes seem… too much. In the case of information security and risk assessment, regulations build the foundation upon which the security processes are set. If the foundations are built strong, it is easier to build more specific regulatory processes upon them while retaining an understanding of the entire system without getting lost in the spider-web.
It is important to have a clear understanding of the companies’ needs for risk assessment, mapping out clearly what the most relevant needs and aspects of information security are for your company (including which processes are the most critical). Risk assessment should be considered an operational tool for everyday decision-making, rather than a tedious obligation done once a year. Measuring and weighing risks allows for better, more accurate managing of business operations, better planning and therefore, better business results. Sustainability and continuity in risk assessments brings long-term good results.
Information security begins with corporate culture and an environment of trust. One can have the best processes in place with stellar risk management, but if the team is too scared or embarrassed to admit (or report) incidents, the results could be disastrous. It takes time to build the understanding that reporting incidents provides better means to solve them, rather than getting a slap on the wrist. Building that takes a combined effort from the management, HR and onboarding - never forget your newest team members! The rewards, however, go beyond good cyberhygiene and support a better work environment as a whole.
However bad a situation might look, all crises have one thing in common: they pass. Solving a crisis often allows for the overhaul of other related broken processes or to get a clear view of what might be done better next time. Take the opportunity to get an earnest look on what brought the crisis on, but don’t neglect the opportunities. Good crises are often the breeding grounds for progress.
When something hits, it is rarely an isolated event - as the saying goes, “all things come in threes”. Be extremely mindful of all the risk factors and how they interlock, especially when playing out risk scenarios for your company. Remember to take into account all processes related to a possible incident, and during one, remember to be more attentive to processes close to the affected one.
Written by Mari Seeba