90% of security professionals invest in defences after a data breach

Many organisations are too slow to address cyber security concerns, according to Cisco’s 2017 Annual Cybersecurity Report. The report says that 90% of security professionals invest in cyber defences after a data breach, and although the investment is ultimately worthwhile, one has to wonder if more organisations would be able to mitigate attacks if they’d acted proactively.

Overwhelmed by technology

The report states that “the aftermath of a data breach is a learning opportunity”, but with cyber attacks usually costing organisations huge sums of money, they are expensive lessons.

Cisco believes the problem stems from organisations being overwhelmed by technology. More industries rely on the Internet, and there are more ways to access it (work computers, mobile devices, laptops, tablets, etc.), but this is not coinciding with a rise in cyber security personnel or budgets. Therefore, resources are being stretched thinner and security is weaker.

“Adding more security talent can help, of course,” the report states. “With more experts on board, the logic goes, the better the organisation’s ability to manage technology and deliver better outcomes. However, scarce security talent and limited security budgets make hiring sprees unlikely. Instead, most organizations must make do with the talent they have. They rely on outsourced talent to add muscle to their security teams while also conserving budget.

“The real answer to meeting these challenges […] is to operationalize people, processes, and technology in an integrated manner.”

The best way to do this is to certify to ISO 27001, the international standard that describes best practice for an information security management system (ISMS). An ISMS is a system of processes, documents, technology and people that helps to manage, monitor, audit and improve your organisation’s information security.

How ISO 27001 can help

Certifying to ISO 27001 helps organisations manage their security practices in one place, consistently and cost-effectively. Organisations can put in place an overarching management process to make sure their information security controls continue to meet their security needs. This includes management systems, governance frameworks, best practice and IT audits.

Of course, these processes will be useless if the organisation’s staff aren’t aware of, or don’t follow, them. That’s why the Standard requires organisations to invest in regular staff training and awareness programmes.

Technology helps organisations manage processes and mitigate mistakes by staff, but it can’t be relied upon to stop all threats. For example, audits can reveal security weaknesses that can be targeted by appropriate technical controls, and the threat of malicious emails can be partially mitigated with spam filters.

Complying with or certifying to ISO 27001?

If you’re considering implementing ISO 27001, IT Governance is a global pioneer in implementing ISO 27001-compliant information security management systems.

We are the world leader in implementing ISO 27001-compliant ISMSs, having helped more than 400 companies certify to the Standard. We use a proven and pragmatic approach, and provide a variety of implementation solutions to help our clients achieve accredited certification to ISO 27001 at an agreeable cost and with minimal disruption to business.

Find out more about our ISO 27001 consultancy service >>