James Kloppers, pre-sales engineer, CASA.
A quick internet search on the current cyber threat landscape will yield any number of gloomy statistics. Add to that the fact that artificial intelligence (AI) is expected to give already well-resourced cyber criminals even more devastating tools to hack into corporate and government systems.
For example, with a cyber attack occurring every 39 seconds, more than 71 million people or 800 000 organisations become victims of cyber crime each year. Moreover, the incidence of cyber crime has risen by 600% since the COVID-19 pandemic.
This last statistic leads to the pivotal point that information and technology have become vital to, and inseparable from, business. Therefore, an information security management system (ISMS) helps organisations to protect information assets and mitigate cyber risk by not only streamlining existing business processes, but also by helping to improve business efficiency, identify redundancies and reduce costs.
An ISMS is based on a framework made up of people/teams, policies, processes, products and technologies, as well as partners and third-parties (vendors). It is all about helping organisations to manage risk and protect information assets. For this, the ISO/IEC 27001, revised in 2022, is quite helpful as it describes what needs to be done to build and maintain a compliant ISMS.
By eliminating spreadsheets and effectively aligning the overall process of managing security, an ISMS will significantly reduce cost and time.
The connection of operational technology devices to the corporate network is a specific risk that needs to be highlighted. These devices − typically sensors or other apparatuses attached to facilities or equipment − feed valuable information back to the company. However, they often use outdated technology protocols and are easy to hack, providing cyber criminals with a convenient back door into the system.
For example, a sensor on a piece of equipment fitted to a gas well head located in the heart of Africa is unlikely to be secure, and because it’s connected to the company’s network via the internet, it can provide a quick system entry point for cyber criminals.
Hence, implementing an ISMS allows companies to adopt a framework, choose policies, procedures and the correct implementation controls that facilitate continuous validation, monitoring and updating of said controls. This assists in the mitigation of these risks. Then, as organisational requirements change and additional solutions are deployed, restrictions can be adjusted with ease, enabling a proactive approach to measurement. This is an iterative process that helps provide an in-depth view of security risks in near-real-time.
Governance considerations
Unsurprisingly, the governance of technology and data has shot up the board agenda. Principle 12 of King IV calls for businesses to “govern technology and information in a way that supports the organisation setting and achieving its strategic objectives”.
Recommended Practices 13 (c) and (d) specifically require boards to ensure the business is resilient and that it is monitoring and responding to cyber attacks. These recommendations are in line with global best practices.
It must be noted that directors who do not fulfil their fiduciary duties now find themselves personally liable for an organisation’s loss of value. Just one reason that the CIO and CISO are under pressure to ensure their businesses are ready and able to identify and respond to security threats. Visibility is crucial and this is where an ISMS provides the ability to continuously monitor and assess where you stand and what corrective measures are required.
In many instances, there is a specific requirement to comply with rigorous cyber security standards, such as ISO 27001 or NIST (National Institute of Standards and Technology), to name just two. Remaining compliant is challenging as it is time-consuming and involves gathering a large amount of information. These industry standards are built into the ISMS, making compliance management much easier for CISOs as they only need to select the standards relevant to their operations.
In response, many organisations react by purchasing expensive security systems and implementing them without taking the time to understand their unique requirements, exposure and risk profile. Often companies resort to adding layers of security in the hope this is the panacea to all evils.
The correct approach is to first evaluate the inherent risk and the threat it poses to the business, then investigate appropriate solutions that have been designed to mitigate these critical risks. Thereafter, best practice would be to continuously monitor, adjust and improve.
Information and technology assets constantly evolve, making it essential for companies to make parallel adjustments to their security posture to ensure compliance and mitigation measures remain current.
A related point is that IT (and thus data) environments have become mind-bogglingly complex. The action no longer happens within the (relatively) safe precincts of the corporate firewall, but on a plethora of mobile devices anywhere, anytime, with corporate servers no longer reliably on premises, but can be physically located anywhere, or disembodied in the cloud. In short, the attack surface is greatly extended, and just understanding the corporate IT estate has become a challenge.
The solution for many is a growing number of spreadsheets that harassed managers use to list IT assets, their current risk profile and related protective measures over time. This manual process is time-consuming, error-prone and often even forgotten about, leading to zero visibility or alignment within the organisation, thereby creating internal disparity.
Enter, with trumpets – ISMS
It is essentially a framework that enables users to understand the company’s security posture/culture, and track progress towards achieving goals relating to cyber security governance, risk and compliance.
If these goals include compliance with global standards, the system should update automatically as and when the standards change. This may not be automated as the data needs to be fed into the system, but it has two huge advantages. Firstly, all the information is stored in one place and available to all who need it. Secondly, it provides a comprehensive view of where the organisation wants to go and how it is progressing.
By providing both visibility and structure, an ISMS can deliver numerous benefits. These include regulatory compliance, prevention of data breaches and accountability. It eliminates finger-pointing and improves incident response.
Importantly, it provides traceability in the form of an auditable record for demonstrating its commitment to protecting sensitive data, and thus can play a key role in the aftermath of a security breach.
By eliminating spreadsheets and effectively aligning the overall process of managing security, an ISMS will significantly reduce cost and time. One example of a cost reduction is enabling the CISO to identify what security controls are needed and what the extent of the risk is, thus guaranteeing that only what is needed is purchased.
Security audits are typically performed annually, but with an ISMS they can be conducted as frequently as needed, thus addressing potential security risks on a regular basis.
Ensuring the organisation is 100% secure is never going to be possible. However, an ISMS will deliver the best possible security available by understanding the information assets that need to be protected, identifying the risk to them and creating the necessary mitigation controls.