“If you believe, no proof is necessary. If you don’t believe, no proof is possible.”
Whilst the return on investment from an ISMS can be high as we illustrate later, triggers for the initial investment generally come from external forces such as powerful customers. Forward thinking internal leaders are starting to believe in the benefits of an ISMS too, however until recently, little effort has gone into demonstrating the business case for an ISMS.
There are also growing numbers of other stakeholders much more interested in how their valuable information is used and protected. And as pain from failure is increasing, organisations need better ways of demonstrating they can be trusted to those stakeholder groups. Any historical belief about organisations naturally protecting privacy and security of valuable information is quickly being eroded towards a default of disbelief and distrust. The burden of proving an organisation can be trusted is therefore growing rapidly. A good ISMS helps address those issues.
Cyber-crime is one of the fastest growing issues facing society, costing billions of pounds to economies and destroying lives. Privacy issues are growing rapidly too. Facebook and Cambridge Analytica are current examples for destroying belief and trust for millions of users but there are plenty of others especially at a business level; just look at the fines and activity increasingly being reported by the Information Commissioner’s office.
It is why regulations like GDPR are being implemented to protect vulnerable individuals against powerful or untrustworthy organisations. Of course, corporate buyers are getting much smarter too, not just because of the personal data issues, they have other valuable information assets in their organisation too.
That is why standards and certifications such as ISO 27001:2013 are increasingly being requested by powerful customers. A good ISMS makes those standards much easier to achieve and sustain as well.
As an example of the changing times, the UK Government has recently added in G-Cloud 10 contract call off terms that (if requested by the buyer) suppliers will have an ISMS. Realistically if a supplier wants to win business in the future they will already have an ISMS in place.
They’ll also have one that their customer can trust quickly and easily, visibly and transparently. Otherwise it will increase barriers and costs of sale and might well result in the buyer going elsewhere.
It’s not just government contracts either. Data Protection Officers (DPO’s) and Chief Information Security Officers (CISO’s) across private, public and third sector organisations are now starting to push requirements for demonstrating information security credentials into their supply chain too.
Cyber-crime is one of the fastest growing issues facing society, costing billions of pounds to economies and destroying lives.
Some customers are being responsible about that change, helping suppliers build capability, whereas others are simply forcing contract changes about privacy and security risk transfer. Either way, the supply chain needs to invest in this area and develop an ISMS that can be trusted. For more information in the ISMS.online Responsible Customer Programme, visit the website.
Boards and shareholders are also becoming much more aware of their own personal exposure, both reputationally and financially too. With growing demands for personal consequences on company directors, we see legislation driving investment towards proactive protection with ISMS, beyond blunt insurance policy instruments.
Indeed, switched on insurers will reward (or probably not penalise) those customers who can demonstrate a good security posture.
Some of the actuary models for deriving premiums are pretty basic and many of the insurers remain clueless despite this being one of the fastest growing sectors.
That will also change very quickly too, reinforcing why an ISMS with all its broader benefits makes sense rather than just taking on higher premiums.
Hope is not a strategy for information security, and sales rhetoric with basic ‘trust me’ policy statements are simply not going to work any longer. It might take another year or two, but the expectations are growing. We will see ubiquity in business for professional ISMS solutions in the same way we do now with customer relationship management systems like Salesforce.com and accounting systems like Xero.
The amount of work for a business case is dependent on how much the organisation already believes in the need for the ISMS and how ready the leadership are to embrace it.
An ISMS delivers a positive return on investment. The goal of our whitepaper is to show you why, what, and how you can get RoI from an ISMS that fits the business needs.
What are the key considerations when building the business case for an ISMS?
- A growing challenge
- Three reasons why nothing happens
- The return on investment from information security management
- A point on people
- In considering the technology
- What is an ISMS?
- What are the components of an ISMS?
- Why do organisations need an ISMS?
- Is your organisation leadership ready to support an ISMS?
- Developing the business case for an ISMS
- Benefits to realise – Achieving returns from the threats and opportunities
- Evaluating the threats
- Identifying the opportunities
- Stakeholder expectations for the ISMS given their relative power and interest
- Scoping the ISMS to satisfy stakeholder interests
- GDPR focused work
- Doing other work for broader security confidence and assurance with higher RoI
- Work to get done for ISO 27001:2013/17
- Build or buy – Considering the best way to achieve ISMS success
- The people involved in the ISMS
- The characteristics of a good technology solution for your ISMS
- Whether to build or buy the technology part of the ISMS
- The core competences of the organisation, costs and opportunity costs
- In conclusion