It was only six years ago that you created a website as a company, which then ran somewhere and you didn’t worry about anything else. Now you first check whether the supplier has taken sufficient security measures and whether these are of the same quality as the measures that you take as a company. For example, an ISO certification suddenly comes into play, or you opt for a SOC declaration as a company. SOC involves more than just security, but it is an important part. As Yellowtail, we recently acquired a SOC type 1 and are now working towards SOC type 2. Information security is a top priority for us. That was different for us six years ago.
The bar is set high
The news reports about hacks, ransomware and data leaks prove that cyber security is urgently needed. It is happening more and more often – and we are also noticing this more and more in the Netherlands. The reason for this is simple: the Netherlands is a digital leader and is a major player in the service economy. This means that a lot of digital work is done with data. The Dutch are very digitally minded and adapt easily. This also makes our country attractive to cybercriminals. After all: there is more to be gained here than in Germany, for example. For example, a lot of pension information in Germany is still sent by post, but we have Mijnpensioenoverzicht.nl from the government. As Yellowtail Conclusion, we regularly implement new pension portals for pension funds. All this digitalisation and the vulnerability that comes with it means that we in the Netherlands have to set the bar high when it comes to information security.
Awareness and willingness to invest
By now, every director and manager knows that it is not a question of whether something will happen, but when. Cyber risks have therefore been given considerably more priority on boardroom agendas. So awareness is there. But in practice, willingness to invest does not always keep pace with that awareness. What do you spend your money on and when? Only when there has been an incident and the organization has felt the consequences? That is actually where we are now: do you invest in information security in advance or afterwards?
Responsible and alert
The idea of information security is that you continuously check systematically. It is not a one-off check. What makes it extra complex is that digitalization is everywhere: in all departments throughout the entire organization. The responsibility for handling information safely therefore lies with every owner of a process or asset. Deeply rooted in the organization. Yet not everyone feels that responsibility. Take the phishing e-mails. It is possible to prevent becoming a victim of these malpractices. And yet employees still click on the links in phishing e-mails. People are still often the weakest link. Awareness could still seep in a bit deeper in organizations. That is also a task at the moment: making the entire organization responsible and alert.
Locking it in place
Because information security is part of the entire organization, it is difficult to monitor that accountability and control. Securing checks & balances in processes is now a hot topic. More and more organizations realize that you have to invest time and money in carrying out those checks and covering the risks. We have been using doors with locks, barriers at sites and gates in buildings for years. But screening people and locking the door is no longer enough; information also needs to have a lock. That is the thinking that organizations need to make. Do you think you are safe or do you really know which risks are in effect in your organization and do you act accordingly on a daily basis?
A fair picture
If you get a fair picture of the risks, you can then determine where to invest your time and money. At the same time, that is also where the difficulty lies: because information security is now part of the entire operation, it makes it difficult to monitor accountability and control. The Key Control Dashboard helps with this. It allows you to map out the risks and the necessary actions become clear. The system signals and enforces that action is taken. This allows you to account for what you have done in terms of information security. You cannot 100% prevent your organization from becoming the target of cybercriminals. But if there is an incident, you can demonstrate that everything has been done to prevent it. And that you have carefully considered the risks and acted accordingly.
Emancipation of information security
Ensure that your critical processes are safe and effective. Demonstrate that the quality of your organization is good and that the processes are set up correctly. And then make the investments that are needed to make your organization safer. At the same time, information security is no longer a stand-alone thing. It must be deeply rooted in your entire organization, because it is crucial to your entire organization. The question should actually be: what do I need to do to ensure that my organization continues to exist? Information security is only truly emancipated when it is integrated into your business operations and we no longer have to talk about it. But we are not there yet.
The Key Control Dashboard
From the Key Control Dashboard, we work intensively with our customers during implementations to jointly realize the intended ambitions for information security in both the short and long term. We help realize the integral objectives with our software.
The Key Control Dashboard is able to place ownership in the right place due to its flexibility, integrality and strong governance structure. This makes our software extremely suitable for any organization that wants to improve its management and control in relation to information security. Want to know more about what the Key Control Dashboard can do for your organization? Please feel free to contact us or request a no-obligation demo right away.
