Risk Management defines security
If security controls are not designed and implemented with risk management in mind, then you end up with an unworkable situation.
You might end up with too many or duplicate controls for example, which is very expensive. Also, you don’t want to report all controls to management, but focus on the effects of the controls, the actual results. In this blog, we want to give the reader a number of tips that will help organise the risk management cycle, the implementation of controls and the measurement of their effectiveness.
The ‘Cyber Security Assessment Netherlands 2020’ (CSAN 2020) contains the following outlook: “Progressive digitisation will influence both the threat and resilience and increase the importance of digital security. The further transition to a data-driven economy, with additional concerns about privacy and digital security, will increase the importance of digital security.”
Many organisations tackle information security in a structural manner. A cornerstone in the approach is often the decision to implement a “security framework”, such as the ISO 27001 standard. A good approach to make the safety level manageable. But having said that, there are challenges. Because what exactly does implementing a security framework” mean?
Implementing a security framework affects the entire organisation. The introduction of ISO 27001 requires a different way of working, in which security is integrated in the design of the work processes. As a result, these changes will also affect the tasks and responsibilities of employees. One of the most important aspects that is tested for ISO 27001 certification of an organisation, is the extent to which employees are informed, trained and enabled to perform their security tasks.
It is clear that organisational development in the security field requires continuous attention from management and is called guidance. The designers of the ISO 27000 series of standards were well aware of the crucial role of top management. Article 5 in these ISO standards is about Leadership and prescribes which activities top management is expected to perform.
Top management is usually prepared to carry out these activities, if the business importance thereof is continuously demonstrated. This quality aspect of reporting often remains underexposed and the attention of top management drifts. What are the consequences of a lack of leadership from top management? What are the signs of insufficient management involvement and what can you do about it?
To start with the last question: the signs that information security is not a priority for top management are:
- The level of attendance at periodic information security meetings is declining
- Communication about the importance of information security is declining
- Too few or superficial questions are asked about the effectiveness reports
- Passively responses to the lack of evaluations of, for example, risk management
What are the consequences of a lack of leadership from top management?
The lack of guidance by management means that risk criteria are not strictly observed, which immediately leads to an “overshoot” of controls. Employees are seldom in the position to make a risk assessment equal to top management. For understandable reasons, they will want to avoid risks and therefore opt for more security controls. This overshoot makes risk management more bureaucratic and makes reports less relevant. It is therefore a self-reinforcing effect in the risk management cycle.
What can you do to keep management’s attention? Below are 5 tips:
Tip 1: Relevant security reports
First of all, management is entitled to relevant reports. That is different from a report of the activities that have been carried out. So, the reports must be about the most relevant security risks. So if you are involved in information security, ensure your reports are focused. Work with pictures and graphs as much as possible, so that a large amount of information can be easily summarised, and the three most important elements can be highlighted.
Tip 2: Define goals and expectations
Second, management must also indicate what it expects from information security. In the standard this is called the ‘information need’ of the stakeholders. If it is then indicated at which level management is satisfied and when not, a basis has been created for defining a metric. Developing measures increases the effectiveness of security and compliance and the efficiency of reporting on the status.
Tip 3: Report on the effectiveness of the ISMS
Implementing and maintaining an Information Security Management System (ISMS) involves substantial costs. With this system, business goals are pursued, such as a lower chance and/or impact of a data breach, a lower chance of a security breach, etc. The costs that are avoided as a result can be seen as the yield side of the ISMS. This is the language that top management recognizes and values.
Tip 4: Effectiveness of security policy
Fourth, ensure active management involvement in information security. In particular, a report on the efficiency of a policy provides many opportunities to inform management about the effects of the policy on the work floor. Where does the policy generate too much bureaucracy and where does the policy fall short? These aspects of policies are fairly easy to translate into consequences for the business.
Tip 5: Make the integration of security and organisation visible.
The integration of information security can be made visible by reporting on an aspect of information security. The simplest version of this is the degree to which ownerships of, for example, assets have been invested and authorisations have been granted. A similar report can be drawn up on risk and problem owners. The risk of a data breach is considerably greater with data sets that are not managed. The business consequences of this can be expressed in financial terms.
Implementing a “security framework” based on ISO 27001 standard is a very effective means to further develop an organisation in the field of security. Here too, the security level is only as strong as the weakest link. This means that employees must understand what is expected of them. Especially owners of data sets or applications, business owners and IT leads are important roles to achieve the security goal. They will in any case have to have been trained in ISO 27001.