Imagine, your home has a good lock on every outside door, a dog and a security system. Does that mean you don’t have to worry about burglary? That depends … Where is your house located, what kind of valuables do you keep at home? Despite the measures you’ve taken, there is still always a chance that the house will be broken into.
In cybersecurity, it’s no different. Measures such as firewalls, backups, and the use of multi-factor authentication are the basics. You simply can’t do without. But once that foundation is in order, the question of what else is needed to secure your information arises. And the answer to that question differs per company.
Thus, cybersecurity calls for well-considered risk management. And that’s a problem. Because, according to recent studies by the Dutch Authority for Digital Infrastructure and NCTV, organizations’ cybersecurity is not conducted structured and measured enough. Therefore, the implementation of NIS 2 is being worked on hard in Europe. This update of the existing NIS directive has the goal of increasing the resilience organizations within the EU against cyber-attacks. The Netherlands will have until October 17 2024 to adopt the directive into national laws and regulations. For this reason it is important to start taking risk management seriously now, already.
So, a lack of well-considered risk management could lead to unnecessary risks. But also to unnecessary costs: some measures might not even be necessary for your company.
You are then faced with four questions.
- What needs to be protected?
- From what?
- What measures can achieve that?
- How must they be implemented and carried into effect?
You are not the first to be faced with those questions. That’s why frameworks have been developed that allow you to structure your cybersecurity.
If you are in a leadership position at a large organization, you probably already are using an ISO framework, maybe even in a special form, like in healthcare and government agencies. For information security there is ISO/IEC 27001/2: that standard tells you which controls could be needed to properly protect your data. The problem is: ISO/IEC 27001/2 does not tell you how those controls can best be set up both technically and organizationally. The frameworks and standards merely tell you what to organize, but not how to do so.
Luckily there are other standards for information security that work out the technical side of it a lot better. For example, the CIS controls: those are a lot more useful and specific. IT departments will do just fine with them.
CIS even provides controls at three different levels. So, you can easily prioritize, based on your risk analysis. And then gradually grow on, to spread the implementation’s work, or to ensure that everything is picked up well by the organization.
But, CIS also has disadvantages, because the controls cover virtually any possible form of security. They don’t tell you what your organization needs. And the IT department won’t know that exactly either, because they generally have too little overview of the business. If you are not careful, the IT employees will close everything off using CIS. The security then becomes an issue, because people start working around it.
It is therefore not a big surprise that information security is a pain point for many organizations. But maybe you don’t even need to choose between ISO and CIS! All frameworks have their own shortcomings, but they can also supplement each other.
ISO 27001 in the end is fine for getting clear what exactly needs to be protected. And for implementing processes to keep the dangers within limits.
As soon as it subsequently becomes more technical, your IT employees can get to work with CIS. While doing so, they can easily connect with your setup, because ‘translations’ exist that explain how to link both frameworks together. Research shows that they cover the same thing for 80%.
This will help you create a good and realistic roadmap for your information security.
The approach is clear then. First of all, you take a look at the environment: are there rules and standards your organization should follow? Standards adhered by your vendors can be included with that.
Next, you will choose a framework. You will get to work with that. At first only at the strategic level, with a business impact analysis.
Then, you will assess the risks. What are your organization’s ‘crown jewels’? What are the essential processes? What threatens those processes?
They need to be protected process-wise, as well as with IT resources. Optionally, you can use other frameworks to further expand the technical (but also the procedural) part, taking it to the next level. Or you could implement guidelines, such as by the Association of Netherlands Municipalities (VNG) aimed at BIO, and whitepapers such as those by NIST. These contain clear instructions and templates.
Ensure that you actively involve all stakeholders within the organization during this process, because information security is still mostly human work. You can opt for certification in ISO/IEC 27001 or a more sector specific standard such as NEN 7510, but that is not explicitly necessary.
Of course, this isn’t easy. For a small company the full implementation and set up of all measures, based on a framework, is a hopeless task. During a short period with an external consultant, how to rationalize all of this can be discussed. In this way, you do comply with a framework, but you receive support in practically implementing these measures.
And big companies, too, can save a lot of time and effort in risk analysis by employing an external organization like Tesorion. Because every company is different, but not everyone has to invent the wheel themselves.