This is a guest contribution from our speaker Daren Kewley, a cyber security specialist and Director and Co-Founder of cyber security company Protos Networks. Darren is a fully licensed assessor for the government backed Cyber Essentials scheme and has held senior positions at Unilever, Foreign and Commonwealth Office, and Verizon. Here Darren shares with us the importance of having board driven cyber security.
Over the past few years, I have assessed and audited an eclectic mix of organisations against a number of cyber security standards. Time and time again, one thing sticks out to me like a sore thumb: the businesses with the best strategy usually have senior management fully behind it. On the flipside, I also meet a lot of IT managers who face a constant battle for support and budget to meet their security concerns and in turn, keep their Director’s business secure.
At a corporate level, the impact of a security breach is often a risk that C-suite executives are aware of and plan for. That’s not to say that corporations don’t drop the ball – they do… a lot. However, at the corporate level, there is usually plenty of budget available for information security, and a CEO who oversees an embarrassing breach will most likely find themselves replaced. Likewise, larger corporations will have often have a Chief Information Security Officer (CISO) and a dedicated Security Operations Centre (SOC) to drive their security strategy and to detect and mitigate threats. But what about at the SME level? Do directors and business owners understand the risks to their business and the leadership required to implement the right technology and controls?
Business decision makers don’t need to be technical experts with regards to information security in their organisation – but they do need to be leaders. Employing the right staff and suppliers is key, and business leaders need to listen to what their technical experts are telling them.
The Board should also look to set your IT team, security staff or suppliers annual targets such as regular penetration testing, vulnerability assessments, audits or achieving certifications such as Cyber Essentials Plus or ISO 27001. Not only do these standards provide a framework for your security strategy, but they also demonstrate to your customers and partners that you take the security of their data seriously. Many of these standards are now a requirement for both public and private sector contracts and with the GDPR being adopted into UK Law in 2018, many organisations now see these standards as a good way of ensuring supply chain security.
Gone are the days of IT security being left to the IT department. For most organisations, preventing cyber-attacks and data breaches requires a change of culture. If any such change of culture is to succeed – it will need to be driven by decision makers in the organisation.