Do you take information security seriously? Of course, you do. We all do…don’t we? Well, there’s the thing. We all believe we take it seriously but how do we evaluate our success. Let’s just pause for a moment and think about this. In majority of businesses there is a focus on delivering a profit by providing goods, services and of course, good service to the customer. In order to do this effectively, the business needs to ensure it has numerous controls and processes in place. Some of these controls focus on information security.
A good starting point for information security is ISO/IEC27001. This standard provides a clear and easy to understand framework to work to whilst demonstrating to third parties that you take your responsibilities seriously. For some organisations though, this is not only the starting point, but sadly, also the end point. This is because some organisations may elect to become compliant to the standard but not proceed to certification. In my view this is makes no sense at all. If you have made the commitment, make the commitment otherwise it’s simply a box ticking exercise that says more about the business than any certificate ever will.
Moving beyond standards and certificates we then start to explore technology. When considering technology, where do you get your information from? When assessing potential technologies what criteria do you use? Is it simply that you want the same functionality as you had previously but at a lower cost? Is it based around hardware, virtualised, software or cloud? Is it based around the perceived threats as identified in the security industry magazines? Is it about consolidated management? Is it about selecting a technology because it is proven or perhaps occupies a prominent position in a Magic quadrant? Is it about all of the aforementioned plus some more?
So, returning to information security, why do we expect free impartial advice for our business? Should we not consider engaging a professional and paying them for their input in the same way that we do with other professions?
We see technology solutions becoming feature rich, and in my view it’s often about doing more with less. This doesn’t necessarily just relate to monetary value. I am also talking about enabling features within your current technology stack.
The value add to your business is in understanding this. A good security consultancy will ask you the questions you forgot to ask yourself. Very often they will be closer to the current and emerging threats than you may ever hope to be – after all, it’s their job. They should be able to provide you with solid impartial advice that helps you shape your future strategy and meets with the known business objectives.
So, next time you are wandering around an information security exhibition, furtively picking up brochures to read on the train on the way home, stop and don’t do it. Look up, smile and ask the question to the guy on the stand. “What can you do to help my business?” You may just be surprised at the answer.
Want more information on ISO 27001 and how your business could benefit from certification?
Join us on Thursday 19th November 2020 at 11am where we will have a 1 hour webinar taking you through the process of transitioning your business towards ISO:27001 certification. The webinar