Reason 1: Not having a compelling internal need to act
Aside from more forward-thinking leaders who are prepared to invest, having an ISMS is not seen as a priority for many leaders right now. Whilst the evidence of threat is overwhelming, until a loss happens to them or someone they know, nothing material happens beyond operational security purchases e.g. antivirus, firewalls, etc.
Depending on your starting point and stakeholder expectations for the future, doing nothing is not an option any longer. External forces for change are mounting and need to be considered carefully as do external stakeholder expectations.
Regulations are directing organisations towards more professional approaches to security and protection. One simple data breach can kill a company and could have devastating consequences for the stakeholders who suffer loss. A pragmatic and well focused ISMS will help address that risk.
Powerful customers are also getting smarter about managing their supply chain risks and mitigating against failure. However, whilst forces pushing for change are high, unless resisting forces are addressed (e.g. leader apathy to invest), any ISMS implementation is unlikely to be successful or sustainable.
Reason 2: People not knowing what to do or how best to do it
There is so much noise in the info sec and privacy world right now. So much choice yet with little clarity on the benefit, people just don’t act because they can’t be sure they are making the right decisions. They may not have the time, interest or expertise for learning about the subject either.
Looking at the needs of powerful stakeholders is crucial. In the absence of clearer direction from powerful customers, or regulators on what a certification standard looks like for GDPR (as an example of legislative practices), following minimum standards such as ICO checklists, Cyber Essentials, and for more comprehensive approaches, ISO 27001:2013 is a good way forward.
We present the information security maturity map later and assess stakeholder expectations; both can help as a foundation for your organisation to consider and plan where it might want to move towards in future.
Reason 3: Seeing infosec and privacy purely as a cost
Information security and privacy management can be a struggle for some leaders to get excited about, so they only see one part of the equation; cost. They also consider it as very complicated so without addressing reasons 1 & 2 it remains in the ‘too hard box’.
Moving resistant people internally from a cost to benefit mindset is crucial for success and leadership buy in.
More strategic and professional information security management needs to show the return part of the equation and be considered an investment, not just a cost.
The RoI can be compelling when done with serious consideration. It also needs to recognise that like professional sales, accounting and other key business systems, an ISMS needs more than just a shared folder store, emails, spreadsheets and documents to make it work well enough to be trusted and effective.
Aside from the cyber criminals involved in this area, there really can be business winners, not just losers or more costs to budget for in future.
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
The key considerations when building the business case for an ISMS?