Practical Risk Management – Beyond Certification

By   Alok Tripathi
Principal Consultant and Cyber Security Specialist , ISG | Jan 10, 2023 03:59 am PST

Organisations regularly invest in their information security management systems (ISMS). These investments are a cost-of-business and cover the basics of fulfilling regulatory, compliance and certification requirements.

However, most organisations implement ISMS based on the ISO framework, creating policies and documentation that are static and unwieldy – this creates a challenging situation. Documents can be open to interpretation and lose any real value envisioned by the ISO framework.

The whole audit exercise becomes time-consuming, costly and cumbersome.

As we see cyber security move from a simple operational topic to a business requirement, ISO certification costs (which, on average, are €200k to €250k per annum for a medium-to-large company) should be converted to an investment better aligned with business needs.

  1. Security is more than certification

It’s one thing to have security certifications displayed on your website, but they become meaningless without taking action.

Companies need to honestly assess if they are getting true value from security certifications or if those certifications are just being used as tick-box exercises to reassure customers and increase sales.

Security certifications need to help organisations mitigate real threats, or they have no real value. So, verifying that a certification like ISO27000 is being implemented is vital.

  • Corporate security doesn’t stop at the IT or security team

It’s easy to forget about IT security and trust that the team responsible for securing the organisation’s infrastructure will do their jobs well, leaving other teams to do theirs.

But, with over 80% of cybersecurity breaches involving people, that mindset leaves organisations vulnerable to attack.

Everyone in the organisation should be responsible for security. That may require a culture change, but it’s a change that has to be made. 

Organisations also need to take a more refined approach to security training. We’ve identified four kinds of approaches that employees have to risk:

  • Risk-Takers – people who are open to taking risks but usually evaluate that risk first. 
  • Risk-Breakers – these people are responsible but a bit too detail-oriented. They’ll prefer to follow detailed instructions regarding IT security, but they could fall victim to more creative phishing attempts, like vishing. 
  • Risk-Makers – these employees tend to be more creative and innovative but may also see rules more like guidelines. 
  • Risk-Shakers – these people tend to learn through their own experiences. They’re curious and self-directed but won’t take risks unless they assess the risk as very low.

The best IT security training considers an employee’s approach to risk when training them. For example, an overly detailed set of rules is likely to alienate someone who shuns too much direction, whereas that same list of rules might give other employees a false sense of security.  

  • Be prepared to face new and emerging threats

As well as personalising security training, organisations that want to stay on top of security threats will ensure their training is updated regularly.

Cyberattacks are constantly evolving, as are points of vulnerability – from connected devices to vulnerabilities introduced with increased virtual working.

Cyber-criminals are always looking at ways to manipulate employees through social engineering (they may even use ‘whaling’ – targeting phishing attacks at senior executives or vishing to mimic the same executives’ voices to get more junior employees to do what they ask).

Organisations also face an increasing number of automated attacks from many areas and need to efficiently integrate their internal and external threat vectors to mitigate this threat.

Of course, this is easier said than done. It means daily, automated threat-hunting exercises and using level 2 or 3 security operation centre experts to review external threat intel and correlate it to vulnerabilities the organisation has already identified. Businesses also need to develop new threat-hunting tests and exercises to work on the findings – this is a continuous process.

  • Invest in recovery, threat protection, detection and response

As more organisations invest in good Security Information and Event Management (SIEM) platforms, they realise these platforms’ inbuilt tools aren’t necessarily tailored to their needs. Existing teams often take a long time (around six months on average) to get these platforms up to the required specifications.

The best way for organisations to hit the ground running when it comes to threat protection is to prioritise and be agile with their investments in improving the platforms they use. For example, while the SIEM platform is being implemented, invest in updating, automating and teach the system to spot real threats and reduce background noise. Use the findings of previous penetration testing, vulnerability scans, red teaming, etc., to prioritise use case implementation.

Organisations can improve the effectiveness, efficiency and return on investment of their cybersecurity by working with a partner that implements machine learning, artificial intelligence and other digital solutions that help improve the overall security of the business.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x