Just before the millennium, Steve Watkins and I wrote IT Governance: A Manager’s Guide with the specific intention of arming boards and senior managers with the tools to enable them to properly govern information security in their organisations.
The book is now in its sixth edition and the company that I set up to support the book – IT Governance Ltd – has now grown into an international organisation whose parent company, GRC International Group PLC, was floated on AIM in March this year.
You might think, from that, that our book was incredibly successful in changing how boards think about cyber security, but you’d be wrong.
Cyber criminals are outsmarting and outspending us, and boards are sleepwalking into a very dangerous digital future. Only around 25% of the UK’s organisations claim to be GDPR-compliant (which means they’re also not actually cyber secure) and Ciaran Martin’s speech is a welcome call to boards and senior managements to recognise their accountability for their organisational cyber security.
He identifies today’s key risk areas: phishing, access controls and authentication, patching, and restrictions on use of privileged accounts. He also asks how boards can satisfy themselves that suppliers (who may also be data processors in terms of the GDPR) are secure. The parallel questions are: “How do we know that we ourselves are secure? How do we avoid simply relying on the CISO’s word?”
The cure remains the same
And the answer today is the same as it was nearly twenty years ago: get your management system independently audited to ISO/IEC 27001, the international information security management standard, and insist on the whole of your supply chain doing the same. If you want to ensure the GDPR is built in, add BS 10012 – the British personal information management system standard – to the mix.