Gary Hibberd

20190830

As you can probably imagine it’s not unusual for us to receive phone calls asking to talk about cybersecurity certifications, especially the ISO27001 security standard. But when someone called the other day I don’t think the call went quite as they intended. Allow me to explain…

The caller explained they had been given my name from someone we had helped previously with their ISO27001 certification journey, and how successful and painless it had been. They then proceeded to explain what they did and why they needed the certification. All fine so far.  Then they uttered the phrase that makes my heart sink every time…

“We just need to do this to tick-a-box.”

To be clear, I do understand that this is a phrase often thrown around, so I asked them to explain further. Things did not improve. “We know we’ve got to do this, but we don’t have the time so need you to do as much as possible. We just need to tick-a-box.” I asked for more information, but over the course of a 20-minute conversation, they repeated that phrase four times.

Getting Ticked Off

It turned out that their clients have started asking questions about their capabilities to evidence security is in place, and whilst they couldn’t do it now they had heard that ISO27001 could help them ‘tick it off’. After the fourth time of hearing the phrase, I politely but purposefully explained that ISO27001 is more than just a “tick box” exercise and that there can be real business value in security being managed properly. I explained that our role is to help them become more secure by transferring our knowledge and skills TO them, rather than doing everything FOR them. As consultants, our role is to support, provide guidance, knowledge and skills and whilst we will help develop and create a lot of the policies and processes needed, we cannot do it without our client’s active involvement.

Please don’t misunderstand me, I appreciate just how difficult cybersecurity can be, and ISO27001 can (at times) seem to make it even more difficult, when it isn’t approached correctly. However, speaking from experience the ISO27001 journey is a far more painful one when it is being done under duress. I can promise you that you will be nothing but ‘ticked off’ by the whole process if you approach this as a ‘tick box exercise’, and here is why.

ISO27001:2013 – The MOT Certification for Cybersecurity

For me there is a clear analogy between vehicle maintenance and cybersecurity, which makes perfect sense. As the owner of a motor vehicle, it is your responsibility to maintain its roadworthiness at ALL times. Ensuring that it is capable of dealing with the conditions of the road, and the changing environmental conditions no matter what life throws at you.

As the owner of a business, or the person charged with its safe keeping your responsibility is to maintain its reputation and ensure that it is capable of dealing with the conditions of the sector, and the changing market environment. No matter what life throws at you.

There is no doubt that our environment is indeed changing, and at a pace that was almost unimaginable a few years ago. Cybercrime and data breaches are on the increase and irrespective of the sector you are in you are more likely to become a victim of cybercrime (e.g. fraud) than any other kind of crime. It is estimated that Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a Ransomware attack every 14 seconds. By 2021 it is estimated that the cost of damages to businesses large and small could top $6 trillion.

Yet despite the growing threat that we all know is there, some organisations are still approaching cybersecurity, and even their certifications as a ‘tick box exercise’: Doing the bare minimum to pass certification and then doing nothing for 12mths until the next annual visit from the auditor. Just like a child playing in their room, they only clean up when they hear the auditor creeping up the stairs! Then they sweep everything under the carpet in the hope no one will notice.

This is like buying a car, ensuring it has passed its MOT (just!) and then not maintaining it in any way, except to fuel it every-so-often. Then being shocked when the wheels falls off and it bursts in to flames around you! The certificate you receive for achieving ISO27001 is a little like the MOT certificate you receive; It only assumes that an organisation is operating effectively at a given moment in time. If that organisation is simply ticking-a-box then it’s likely that once the auditor has left that nothing more is going to be done for another 12mths.

This is simply not acceptable in a world where threats and our reliance on data and data sharing is increasing daily. So what should we do?

Navigating the Super-Highway

Our super-highway is getting busier and there are an increasing number of dangerous ‘vehicles’ out there. Perhaps some of them are your suppliers, who have previously proudly waved a certificate under your nose when you asked them to evidence their security. 

So what can we do to improve our own security and gain a deeper level of trust in our certificates? The answer is relatively simple but requires a mind-shift, so consider the following as your new approach to cybersecurity and certificates;

  1. Assign someone to have oversight and ownership of your cybersecurity processes
  2. Ensure they have adequate skills, time and knowledge to do the work
  3. Put information security on the agenda at the board level
  4. Set some clear objectives for information security that you can measure
  5. If you have objectives in place, (ISO27001 requires them); when were they last assessed and updated? (Are they still relevant?)
  6. Make information security a business strategic objective
  7. Set security objectives for each department, such as x% of time per week/month discussing or improving security
  8. Set a clear budget for training and awareness and have a programme that is more than just an e-mail or memo from the CEO
  9. Ask for a weekly ‘Threat Report’ (this is different from a risk report. You want to know where the threats are coming from. Is it from Ransomware? Is it fraud?)
  10. Identify what other certifications you can implement that will add an additional layer of security (based on your needs)

Some of the above is certainly covered in certifications like ISO27001, but the approach is more tactical and operational. What you’re looking for is ongoing, regular evidence that something is happening. 

Conclusion

The ideas/questions provided above can be used internally to discover attitudes towards cybersecurity and certification, or you might like to ask your suppliers the same questions (you are required to review suppliers in ISO27001, so why not ask them to answer these?).

The certification process for ISO27001 and others is not always an easy one, and it can require considerable investment both in financial and human terms. If an organisation DOESN’T have certificates in place how can you be sure you can trust them? But given the tick-box attitude of some organisations we all need to be asking deeper questions than ‘Are you ISO27001 certified?’ Because if we don’t we may find ourselves trusting a fellow traveller on the super-highway who has barely passed their MOT, and the wheels are about to come off… as we stand firmly in its path, or worse still; As a fellow passenger.​​​​

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >