The current state of cybersecurity is quite simple: each day we discover a new set of threats/vulnerabilities. Business have discovered – the hard way – the costs of not investing in an experienced InfoSec Team.
This new perspective has been gradually changing the information security market, and papers like ISACA’s State of Cybersecurity: Implications for 2015show that cybersecurity in general has been getting more support from upper management (really?) and bigger budgets (R U SERIOUS?). Paradoxically, there is a huge cybersecurity skill crisis, experienced professionals are short on the market.
CORPORATE CULTURE: IT IS A GREAT INFORMATION SECURITY TOOL. Culture, in general terms, can be understood as a set of ideas, habits and social behavior in a specific group. This translates into values, beliefs, ideologies, beliefs, group behavior. In a corporate environment, it is only natural that absolutely every organization has its own culture. And yes, this is one of the key factors that can define the success or failure of information security.
The fact is CULTURE EATS STRATEGY FOR BREAKFAST. The phrase, originally attributed to Peter Drucker, has never been as true as in modern organizations, especially in subjects related to Information Security and Risk Management. Corporate culture can either motivate or drain the energy of professionals. Understand: Culture is the environment where corporate strategy, even the most well defined, blooms or agonizes. Any company that tries to disconnect these two factors is creating an unnecessary risk on the way to success.
Over the past years, several companies have learned – the hard way – that neglecting information security can bring disastrous impacts on operations, brand and financial results. This scenario leads us to believe that the mindset of senior management should have evolved into a more mature approach, where security is seen as a business facilitator and incorporated into all aspects of the strategy and transmitted in corporate culture, right? Yeah, dream on.
I am very satisfied to inform that my paper has been selected for presentation at the (ISC) ² Security Congress Latin America 2015 to be held in São Paulo on 24 and 25 November.
My presentation is titled Information Security – Surviving a poor cybersecurity corporate culture, if you wish to know more, here is the abstract sent during the call for papers:
During the last couple of years, several companies have learned – the hard way – that neglecting Information Security can have disastrous impacts on operations, brand and financial results. This scenario prompt us to believe that the manager mindset should have evolved to a more mature approach, where security is seen as a business enabler and incorporated on every aspect of the strategy.
The truth is that – even now – little has changed. Security is still mostly regarded as a pure technical discipline and perceived as unnecessary cost and bureaucracy by managers and business alike. That is until a major incident happens, and all of the sudden those alerts sent by the security team become relevant.
Who is to blame? The business that disregarded sound advice, or the Security Team that did not know how to communicate in business terms?
The great challenge is not a technical one. Cloud, Big Data, Business Transactions, Data Leakage, for each risk there are several technologies that could be implemented to solve the issue. However, that amounts to nothing compared to the trials of create a strong cybersecurity culture, involving strategy, mature processes and specially people.
The main objective of this presentation is to discuss the creation of communication bridges from the Information Security Team to all levels of the business. Going beyond the simple implementation of technology, to address the challenge of creating a proactive cybersecurity mindset.
IF YOU ARE AN INFOSEC PROFESSIONAL, STUDENT OR HAVE ANY INTEREST ON THE SUBJECT you are very likely to have heard about ISO/IEC 27001: 2013. What you may not know is that the 27K family is much, much bigger.
Currently there are 16 publications dedicated to the implementation and operation of an ISMS (Information Security Management System) aligned to international standards, and suitable for business of all sizes and verticals. According to the Brazilian National Information Security Survey, which I published last year, more and more Brazilian companies have been investing and adopting the standard.
2013 was a year with no shortage on news about hacker attacks, data leaks, digital espionage, privacy issues (hi Obama!) and the result is that Information Security is now – more than ever – into the spotlight.
In this context comes the revised version of ISO 27001, the international standard that, for more than a decade, has been one of the main references for managing Information Security. A series of questions may come into the minds of IS professionals: What does really change? Is the standard more effective?
Of course, professionals in charge of ISMS management are imagining the amount of new controls and documents required to obtain/maintain certification.