While most CEOs acknowledge information security is a top priority, it is often addressed ad-hoc after a data breach occurs (i.e., the car engine has seized). The Target incident changes that paradigm, suggesting a more proactive and methodical approach involving an Information Security Management System (ISMS) built on ISO 27001-2 standards. Companies have standard processes for accounting, procurement and HR; why not have an information security system?
The U.S. Department of Homeland Security urges CEOs to ask the following questions:
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is our plan to address these risks?
- How does our program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week?
- What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber-incident response plan? How often is it tested?
With an ISMS tailored to your company (one size does not fit all), you will be alerted to security breaches having high impact to your company. You get the red light warning that something bad is about to happen and you can take proactive action with and through your security team. Properly constructed, the alerts cannot be masked or ignored. It’s a dangerous world out there. Take the first step. Find out what security framework you have, compare it to your industry best practice and develop a plan for improvement. Your shareholders, partners and employees will be reassured; and most important, you will have taken an important step to protect your company’s assets from security risks.