Gary Hibberd

20191018

The Emperors Clothes – An Open Letter to CEOs and Business Owners.

In 2018, the ‘Year of the GDPR’, there was a lot of panic and a lot of panic-buying as many people seemed to struggle to understand the new regulation governing Data and how it is used. What the panic created was a lot of noise and a whole-lot of ‘snake oil’, both of which you need to guard against. Many CEO’s and business owners complained that it felt like ‘Y2K all over again’, and I have some sympathy for you in this regard, so on behalf of the cybersecurity profession I can only apologise. However, let us move on, and let us be honest. There will always be companies and people out there with less than honest intentions, so it’s important that we don’t fall into the trap of buying a ‘solution’ to Security and Data Protection.

The Emperors New Clothes”

There is an oft-quoted joke that goes like this;

“What’s the difference between a second-hand car dealer and a cybersecurity sales man? 

Answer; “The second-hand car dealer knows he’s lying to you.”

As our world has become increasingly reliant upon digital devices and the controlling and processing of data, the approach to secure these devices and data has never been greater. Yet time-and-time-again, we see stories of organisations losing data or suffering major Data Breaches. Each time it happens, we hear the leaders of the affected organisation state “Privacy and Security are of vital importance to us.” But is this true, because let me be open with you – NO ONE believes you, so stop saying it and start proving it.

Ok, maybe I’m being harsh, because I’m sure you think it’s true. Perhaps because you have invested in technology that will help protect your organisation from the multitude of threats that are in existence. But, therein lies the problem. Have you simply invested in ‘Emperors new clothes’? 

I’m sure most of you are aware of the fabled Emperor who was duped into buying ‘invisible’ clothes, and told only the truly intelligent could see the intricate and beautiful materials. And whilst the majority of people agreed with the ‘beauty’ of the clothes, it was only when a small boy pointed out that the king was ‘in-the-altogether’ that the truth was revealed… This is a story we are seeing being played out in our modern society as cyber ‘solutions’ are purchased. 

Everything from cloud to encryption technical tools are bought, installed and trusted in the hope that they will keep your most valuable assets protected. But just like the Emperor it’s more likely that you’re leaving yourself exposed, and ultimately embarrassed with a tarnished reputation.

Security should not be a ‘one-hit-wonder’

If you truly care about privacy and security, you will have done more than purchased a solution to protect the data you hold. Security is a multi-faceted and multi-disciplined area that requires far deeper consideration than installing an encryption tool for your email.

What should you do now?

If you haven’t heard of ISO 27001, now is the time to talk about it. Don’t worry, I’m not going into detail about it except to say it’s highly valuable to achieve and can give you the following advantages/value;

 

  • Increased revenue

  • Improved efficiencies

  • Reduction in costs

  • Increased market value (for shareholders)

  • Increased brand loyalty

  • Brand / Reputation protection

While you may never have heard of ISO 27001 maybe take a look for yourself. But to be clear, it is NOT an IT standard – It’s a standard that helps define a Security MANAGEMENT system. That is to say it will give you clear understanding of how Security should be managed within your organisation, and it’s a good standard to adhere to. But where does it start?

Starting with you

Why is the standard so good? Because it starts with Leadership. It doesn’t start by saying ‘Install X solution’, it starts by asking you to demonstrate leadership for Information Security. You are the leader of your orgsanisation, so you need to demonstrate your commitment to Privacy and Security, not just in words but in deeds.

 

People, Premises, Policies, Processes, Providers and PCs

You’re a busy person and if you’ve read this far I would like to congratulate you on being the type of person and company we would love to work with (we choose our clients as carefully as they choose us). I’ll refrain from going into detail about the standard, but I will tell you that it covers all the above areas, so you can see that ‘PCs’ (I.e. technology) is only one of six areas you should be addressing in relation to Security and Data Protection.

Conclusion

This open letter is written to you, the leader of your organisation. It’s a tough job, and we are living in challenging times. As the leader who runs a successful business you’ve enough to think about and worrying about cybersecurity could be made easier by thinking more holistically about it. It’s a complex issue, but doesn’t need to be complicated. 

So here’s my challenge to you; At your next board meeting, put cybersecurity on the agenda. Talk about it for 1hr (at least). Get everyone to bring their perspectives, concerns and solutions. Give it the air time it deserves. 

Put cybersecurity ON the agenda, before it BECOMES the agenda.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >