It should no longer come as a surprise to anyone that IT is everywhere, and that information security is of utmost importance to an organisation’s operations, so why do attempted and successful data breaches, data leakages and cyberattacks still make headlines every week? There are numerous reasons behind these incidents, but the good news is that following good information security practices and making your staff aware of information security threats help prevent or at least mitigate the impact of attacks and disruptions.
Creating and maintaining a good information security culture requires leaders, or more specifically leadership. Being an information security leader is no longer just a technical role. Instead, it requires clear strategic direction and the management’s commitment. Without strong leadership, information security risks may become uncontrollable, which can have serious consequences.
Everybody is responsible for information security
When it comes to the security of the entire society, private companies and other organisations play a key role. Likewise, every individual can do their part to make sure their organisation’s – be it a multinational conglomerate, a micro enterprise or a non-governmental organisation – data is secure. As line managers or directors, our role is to lead by example when it comes to security matters, such as anticipating and addressing any issues.
The role and responsibilities of information security leader
Information security leadership does not require an information security officer or manager, although these positions are necessary especially in larger enterprises. Everyone, including directors, benefits from strong IT skills but they are not required to ensure that your organisation’s information security is at a high enough level and being constantly improved. Help is available to those who want to take stock of their current status and to develop the staff skills across the entire organisation.
The management’s responsibility for information security could be summed up with being aware of security threats and having the courage to take action. Being aware means identifying and acknowledging the importance of information security, and having courage means seeking know-how and, consequently, answers to the question: has the organisation done everything that can be done to protect the customer and the personal and financial data the organisation owns or is responsible for? No organisation should have a management team that buries their heads in the sand like an ostrich and trusts that their organisation is immune from malicious digital activities.
Management commitment and information security
Are ‘management commitment’ and ‘information security culture’ just buzzwords spewed by consultants and used in standards? They can, of course, be viewed as empty words, but how does that benefit anyone?
One concrete example of commitment is how the organisation responds to client-specific or regulatory requirements, or how any problems identified in-house or by an external partner are addressed. In addition to management commitment, a good culture is also characterised by factors such as a safe atmosphere where employees are encouraged to flag up issues, learn from them and to do things right and in line with the agreed principles.
Strategic planning and continuous development
Directing and managing information and cyber security are strategy-level decisions rather than a set of good targets presented by the IT manager.
What do NIS2 and ISO/IEC 27001 mean?
Where to start and what to do when your client or board of directors starts to talk about the EU’s NIS2 Directive or the ISO/IEC 27001 Standard, which are both underpinned by information security leadership and risk management?
International leadership standards have required countless hours of expert work to become approved and published. Abiding by them is a good starting point for ensuring your organisation is on the right track, and despite the rather formal language, these standards and directives are, for the most part, generally applicable and understandable.
ISO/IEC 27001 is a standard for information security management systems. It sets out requirements and organisations can apply for certification from a third party – typically an accredited certification body – if they can demonstrate that they meet the requirements. The management model described in the standard is built around a risk-based approach to deciding how any identified threats to data assets are dealt with. The numerous good practices for the management of different aspects, such as documented data, know-how, target orientation, internal audits, non-conformities and reporting to the top management presented in the standard ensure that leadership support is systematic and constantly developing.
The standard contains 93 controls to make information security more concrete. These controls are used to bring risks to a tolerable level or to directly respond to a client’s requirements. The controls cover processes such as disruption management, capacity management and change management, good technical practices such as the safe recycling of hardware and encryption of network traffic, and administrative procedures, such as employee background checks and the classification of information.
The ISO/IEC 27001 Standard not only provides generally applicable structures and guidance to directors for information security management and leadership, but it is also widely interpreted that an information security management system that meets the requirements set out in the standard also satisfies the requirements of the NIS2 Directive and the national legislation based on it.
Jyrki Lahnalahti
Product Owner Kiwa Comply, Management Consultant
