Organisations failed by lack of cyber security processes

iStock_000014377944XSmallEveryone who is serious about protecting sensitive information has to be serious about the processes that underpin information security management.

Yet, too often organisations lack the necessary policies and processes – something that can have negative implications for them regardless of how good their IT systems might be.

Wobbling cyber security processes

Cisco’s latest Annual Security Report revealed that organisations were uncertain about their cyber security processes and highlighted a mismatch of opinions between CISOs and security operations managers.

62% of CISOs agreed with the statement that their company’s security processes are “clear and defined” – compared to 48 percent of security operations managers. 59% of CISOs believed their security technologies were “optimised”, but only 46% of security operations managers expressed this confidence.

Moreover, Cisco’s findings indicated that confidence in security policies is generally high among both CISOs and their security teams, but there is “markedly less” confidence in their ability to actually scope and contain a security compromise.

Patch and configuration management are an issue

75% of CISOs agreed that their tools were “very” or “extremely effective”, but less than 50% are using patch and configuration management, pen testing, vulnerability scanning, user provisioning or identity admin. Fewer than 40% are patching.

Lack of access control management

A report from Ponemon Institute for Varonis revealed that 71% of employees have access to data they shouldn’t see. It also showed that 64% of end users and 59% of IT professionals believe that insiders are “unknowingly the most likely to be the cause of leakage of company data.”

These findings indicate an absence of processes that deal with access control and administrative privilege management. They are mandatory for British organisations that pursue compliance with Cyber Essentials and are discretionary for those that want to comply with ISO 27001.

The role of ISO 27001 for improving cyber security processes

Today’s businesses have to deal with a significant number of security challenges on a daily basis. Therefore, it is important to build repeatable processes and procedures to ensure security staff follow an informed and consistent approach that is in line with business operations, while improving information security management throughout the organisation.

Implementing an ISO 27001-compliant information security management system (ISMS) can play a significant role in improving cyber security and management processes in any organisation.

Adopted globally by thousands of organisations, ISO 27001 provides guidance on the development and maintenance of an ISMS. It offers a systematic approach to managing sensitive company information so that it remains secure by applying a risk management process that includes people, processes and IT systems.

Get stared

IT Governance has developed a specially formulated combination of essential tools and resources to get started with an ISO 27001 project, even if you have no prior experience of ISO 27001 at all.

Get_a_lot_of_helpThe ISO 27001 Get A Lot Of Help package provides you with guidance from an ISO 27001 implementation specialist throughout the entire project, without the associated expenses of hiring a consultant to do all the work.

Contact IT Governance today to request a brochure or to discuss your implementation needs with one of our advisors on +44 (0)845 070 1750.