Any cybersecurity practitioner will advocate for all organizations to establish an Information Systems Security Program (ISSP) at the onset. In my opinion, it is vital to establish one early, as it sets the tone for protecting an organization’s data infrastructure. One of the key concepts in developing an ISSP is understanding what influences its establishment and modification, as well as understanding how failure to take it seriously could lead to the downfall of a company.
There are many key attributes that influence an ISSP, including a company’s mission, goals, objectives, and even competition. However, at the head of the table, one of the most influential factors is senior management, and that’s where I want to start part one of this conversation.
I say “head of the table” because without leadership’s buy-in on why an ISSP is important, it is difficult to implement, let alone demonstrate its value. During my travels, I have encountered many CEOs who dismiss the concept for a variety of reasons, which we will discuss below. Surprisingly, cost is often not part of the conversation, despite surveys alluding to its significance.
Here are some quotes and why I believe they are logically flawed:
“It will never happen to me.”
By far, this is the most disappointing and perhaps irresponsible response that I have witnessed from a leadership team. The adage of “a matter of if and when” applies here. Having the mindset of doing nothing because you don’t think the threat is out there is simply wrong and sets a negative cultural precedent within the organization.
Analyzing why this response comes up so often, I realize that it seems to be encouraged by two trains of thought. Firstly, many leaders with this mindset have an overconfidence that their product has achieved perfection, leading them to believe there are no external (or internal) threats to their bottom line. Consequently, they see no need to develop or enforce changes to an ISSP.
Secondly, there is a mythical mindset that the cost of implementing such a program will be so high that the company will automatically be in a deficit. Therefore, it is better to play the law of large numbers and think it won’t happen to them.
Unlock Your Potential: Become an Empowered Advocate for Your Cybersecurity Program
Learn how you can be a better advocate for your Cybersecurity Program
“My stuff is in the cloud.”
Blind faith in prominent service providers that are meant to provide hosting and protect and indemnify your company in the event of a data incident or breach is a pipe dream. In reality, most terms of service or service contracts have an indemnification clause that prohibits the client from filing a lawsuit against them in such cases. This is primarily because the hosting provider’s job is not focused on data security but on the availability of resources. Typically, their security measures are limited to physical aspects or ensuring that threat actors cannot physically access the servers. In a later post, we will discuss IaaS, PaaS and SaaS data responsibilities.
“My clients don’t care.”
Another flawed reasoning that can hinder the establishment and maintenance of an Information Systems Security Program (ISSP) is the belief that clients don’t care about the organization’s security practices. This mindset assumes that clients are primarily concerned with the products or services they receive and are not interested in the security measures implemented by the company.
However, this perspective fails to recognize the evolving landscape of cybersecurity and the growing awareness among customers regarding the importance of data protection. In today’s digital age, data breaches and security incidents make headlines regularly, and individuals are becoming more vigilant about entrusting their information to organizations that prioritize security.
Clients expect their sensitive information, such as personal details, financial data, or intellectual property, to be safeguarded by the companies they engage with. A breach not only puts their information at risk but also erodes trust in the organization. When clients lose confidence in a company’s ability to protect their data, they may seek alternative providers who prioritize security.
Furthermore, many industries and regulatory bodies have implemented stringent data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union or the California Consumer Privacy Act (CCPA) in the United States. Organizations that handle personal data must comply with these regulations and demonstrate their commitment to protecting customer information. Failure to meet these standards can result in legal consequences, fines, and reputational damage.
Bottom Line: Assuming that clients don’t care about security is a dangerous misconception. Organizations must understand that clients increasingly value data protection and expect their information to be safeguarded. By prioritizing security and implementing an effective ISSP, companies can not only meet client expectations but also mitigate the risk of breaches, enhance their reputation, and build stronger relationships with their clientele.
“Not worried, I have insurance for that.”
One common misconception that can undermine the establishment of an Information Systems Security Program (ISSP) is the belief that having insurance coverage is sufficient to address all security concerns. This line of thinking assumes that any financial losses or damages resulting from a security breach can be adequately mitigated through insurance policies, thus alleviating the need for proactive security measures.
While insurance can provide financial protection and help cover some of the costs associated with a breach, it should not be viewed as a standalone solution for comprehensive cybersecurity. Insurance policies typically have limitations and exclusions, and they may not cover all the potential damages and reputational harm caused by a security incident.
Moreover, insurance is reactive in nature, focusing on addressing the consequences of a breach rather than preventing it from happening in the first place. Relying solely on insurance without investing in robust security measures leaves an organization vulnerable to attacks and increases the likelihood of experiencing a breach.
Additionally, insurance premiums are often influenced by an organization’s security posture. Insurers assess the level of risk an organization presents and adjust premiums accordingly. Neglecting to establish a strong ISSP and neglecting security practices may lead to higher insurance costs or even difficulty in obtaining coverage altogether.
It is important to recognize that insurance is just one piece of the puzzle when it comes to cybersecurity. A comprehensive approach involves implementing a layered security strategy, including risk assessments, regular vulnerability scanning, employee training, incident response planning, and ongoing monitoring and updates to address emerging threats.
Bottom Line: While insurance can provide financial protection in the event of a security breach, it should not be the sole reliance for safeguarding an organization’s information systems. Proactive security measures and a robust ISSP are crucial to minimize the risk of breaches, protect sensitive data, and maintain the trust of customers and stakeholders. Insurance should be seen as a complement to a comprehensive security program, rather than a substitute for it.
“No one is interested in targeting our company.”
The ugly truth is that the internet gets scanned for known vulnerabilities every second of every day. If you don’t believe me, take a few minutes to visit Qualys SSL Labs, which provides a quick snapshot of websites that either pass or fail their web vulnerability scan. Press the refresh button every five seconds, and you’ll see the list grow. When a vulnerability is discovered by a threat actor, it’s like an invitation to explore further. Can this vulnerability get my foot in the door? In many cases, the answer is yes, and for many companies that sustain a breach, it’s the beginning of a death spiral.
To ensure the security of an organization’s information systems, it is imperative for senior management to understand the importance of establishing and maintaining an ISSP. Dismissing the need for an ISSP based on flawed reasoning or misconceptions can have severe consequences. The next part of this conversation will delve into additional influential factors and debunk more flawed logic surrounding ISSPs. Stay tuned for part two!