There has been plenty to contemplate in the set of recommendations made by The Culture, Media and Sport Committee following their report on cyber security last month. The report was triggered by the TalkTalk cyber attack in 2015 but identified cyber security as a significant threat to all UK businesses with an online platform or service where protection of personal data is paramount.
It made interesting reading!
Perhaps one of the more contentious of the report’s 17 recommendations regarding cyber security was the one that suggested…
“To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board”
Whilst the report makes it clear that cyber-security should sit with someone other than the CEO, someone with full day-to-day responsibility for it, it makes no bones that this role should have ’board oversight’.
To judge the effectiveness of cyber-security ‘pre-crisis’ can only mean one thing….regular reporting and reviews at board level.
Actually, it means so much more than that! For a CEO to give ‘sufficient attention’ to cyber security requires a level of commitment and understanding and, most importantly, the means to continually measure the effectiveness of an information security management system that has evaluated risk and established information security objectives against which the measurement can take place.
But what does that mean in terms of which frameworks to adopt for effective information security management?
As the report clearly identifies, the government Cyber Essentials scheme, whilst providing a good basic level of cyber security and technical controls, does not fully address information security management, i.e. the people and the process which are so often at the heart of any breach. Indeed, a Cyber Essentials certification gives no assurance that an organisation is regularly measuring their cyber resilience in terms of protecting valuable data.
It may be an excellent ‘entry-level’ but, as the report suggests larger organisations, and those dealing with large volumes of personal data should be seeking other measures of their cyber security readiness.
One of those measures is the Ten Steps to Cyber Security which, whilst certainly better, still does not give a fully comprehensive framework for information security management.
For the concerned CEO, who wishes to mitigate the risk of pay packet exposure, there is little doubt that an ISO 27001:2013 information security management system (ISMS) is the most comprehensive framework to follow. As the internationally recognised ‘best practice’ standard, it is the only one to cover technology, people and process, and requires that effectiveness is measured, reviewed and continually improved upon.
It is little wonder therefore that, whilst not a prerequisite for inclusion on the UK government’s own Digital Marketplace, holding a UKAS ISO 27001 accreditation demonstrates the highest commitment to an externally audited ISMS and will better position you for winning business.
In short, government, private enterprise and the Board will all be looking for evidence that a CEO is managing effective cyber security to protect data and information assets.
An externally audited, UKAS ISO 27001 accreditation demonstrates just that.
For a CEO, it doesn’t guarantee a breach won’t occur but it will give the best chance of preventing it and managing an incident effectively should it occur.
Of course, it can also win you more business and prevent future attacks to your personal finances too!