From the business side, it is often thought that managing risks in relation to cybersecurity and information security is the responsibility of the CISO or the security officers. But is this still feasible when you look at the increasing digitalization and the complexity of processes? I believe that this responsibility is a challenge for the entire organization.
“Organizations in the Netherlands are aware of the need for cybersecurity, but there is often no good connection between business operations and reducing cyber risks”. This is also one of the conclusions from the annual PwC study ‘Digital Trust Insights’. This is a very recognizable conclusion for us and offers food for thought.”
Everyone on board at an early stage
To gain more control as an organization, it is first of all important to know where the risks lie. It is often a struggle to gain insight into this, but not an impossible task. Try to involve and involve the people from the business at this stage. There is a very logical and sound reason behind diving into responsibilities and the “digging in your heels” mentality. Because all those checks, balances and ticks cost a lot of time and effort and never completely rule out an actual risk. The difference between the paper reality and the actual security can vary. It is nice to have all the chapters of the BIO green, but if a hacker does get away with your data, you will not get much out of it at the end of the day. The most important thing is to manage the risks. The control measures to do this must be secured where the risk occurs. Within the business processes of the organization. The business must take responsibility for this. They are the owners of the risks and must act accordingly. It is up to the security organization to facilitate this. We also call this decentralizing compliance. Investing activities where responsibility lies.
The paper tiger
Standard frameworks seem very challenging at first glance due to their size and complexity, but it is important to tame the paper tiger. Because when you work on information security in a structured way, you lay a good foundation to mitigate the risks. In addition, as an organization you are resilient when things go wrong. You think about possible scenarios, record them in processes and know how to act “when shit hits the fan”. In addition, it will help, when you want to tame the paper tiger, to do so together with an experienced business partner with the right tools. Demonstrability is leading in this. Something that is secured in our Key Control Dashboard ISMS. When you as an organization invest a lot of time and energy in professionalizing information security, it is useful to be able to demonstrate this!
