“It’s not an easy time to be a CISO,” according to Ponemon Institute’s Dr Larry Ponemon. Chief information security officers (CISOs) are less confident than ever about data security, with 67% of respondents to a recent Ponemon Institute survey saying they believed their organisation was more likely than ever to be hit by a cyber attack or data breach.
CISOs cited a “lack of competent in-house staff” as the most likely reason for a breach. Respondents also singled out:
- The inability to protect sensitive and confidential data from unauthorised access (59%);
- The inability to keep up with the sophistication of criminal hackers (56%); and
- Failure to control third parties’ use of sensitive data (51%).
“Data breaches and cyber-attacks continue to plague organisations and the responsibility of protecting sensitive data stops with the CISO,” said Dr Ponemon. “It’s critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability.”
Implementing an ISMS
Organisations wanting to address cyber security vulnerabilities should adopt ISO 27001, the international standard that describes best practice for an information security management system (ISMS).
An ISMS is a centrally managed framework for keeping information safe, protecting the confidentiality, integrity and availability of an organisation’s data. It consists of a set of policies, procedures, and technical and physical controls, and can be applied either to the entire organisation or a specific area or department.
By implementing an ISMS, organisations can:
- Secure information in all its forms, including digital and paper-based data, intellectual property, company secrets and data on devices and in the Cloud;
- Increase their resilience to cyber attacks;
- Respond to evolving security threats;
- Reduce the costs associated with information security; and
- Improve company culture.
Although you can implement an ISMS without certifying to ISO 27001, accredited certification to the Standard proves to stakeholders, clients and regulators that you’re following best practices and take cyber security seriously.
Giving cyber security the attention it deserves is now more important than ever. Even if that doesn’t mean implementing an ISMS, you should consult your CISO about how to mitigate threats. Many senior staff don’t know where to begin, so we’ve produced a free brochure explaining exactly what you need to know.
12 cyber security questions to ask your CISO helps you understand your organisation’s threat landscape better. It advises you on:
- How to make the case for improving your cyber security programme and budget;
- The key areas you should be investing in; and
- How to implement a holistic cyber security programme.