There has been plenty to contemplate in the set of recommendations made by The Culture, Media and Sport Committee following their report on cyber security last month. The report was triggered by the TalkTalk cyber attack in 2015 but identifiedas a significant threat to all UK businesses with an online platform or service where protection of personal is paramount.
It made interesting reading!
Perhaps one of the more contentious of the report’s 17 recommendations regardingwas the one that suggested…
“To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board”
Whilst the report makes it clear thatshould sit with someone other than the CEO, someone with full day-to-day responsibility for it, it makes no bones that this role should have ’board oversight’.
To judge the effectiveness of cyber-security ‘pre-crisis’ can only mean one thing….regular reporting and reviews at board level.
Actually, it means so much more than that! For a CEO to give ‘sufficient attention’ to cyber security requires a level of commitment and understanding and, most importantly, the means to continually measure the effectiveness of an information security management system that has evaluated risk and established information security objectives against which the measurement can take place.
But what does that mean in terms of which frameworks to adopt for effective information security management?
As the report clearly identifies, the government Cyber Essentials scheme, whilst providing a good basic level ofand technical controls, does not fully address information security management, i.e. the people and the process which are so often at the heart of any breach. Indeed, a Cyber Essentials certification gives no assurance that an organisation is regularly measuring their cyber resilience in terms of protecting valuable .
It may be an excellent ‘entry-level’ but, as the report suggests larger organisations, and those dealing with large volumes of personalshould be seeking other measures of their readiness.
One of those measures is the Ten Steps to information security management.which, whilst certainly better, still does not give a fully comprehensive framework for
For the concerned CEO, who wishes to mitigate the risk of pay packet exposure, there is little doubt that an ISO 27001:2013 information security management system (ISMS) is the most comprehensive framework to follow. As the internationally recognised ‘best practice’ standard, it is the only one to cover technology, people and process, and requires that effectiveness is measured, reviewed and continually improved upon.
It is little wonder therefore that, whilst not a prerequisite for inclusion on the UK government’s own Digital Marketplace, holding a UKAS ISO 27001 accreditation demonstrates the highest commitment to an externally audited ISMS and will better position you for winning business.
In short, government, private enterprise and the Board will all be looking for evidence that a CEO is managing effective information assets.to protect and
An externally audited, UKAS ISO 27001 accreditation demonstrates just that.
For a CEO, it doesn’t guarantee a breach won’t occur but it will give the best chance of preventing it and managing an incident effectively should it occur.
Of course, it can also win you more business and prevent future attacks to your personal finances too!