It is a fundamental role of business leaders and the board to understand and manage the risks to the company. Information security is a very real and significant risk to every business, and, as a minimum, leadership teams need to be able to answer the following five basic questions.
Question One: What is information security?
The typical answer to this question is the protection of IT systems and data from cybercrime. Whereas this is not wrong, it is only part of the answer as information security should address much more. It is about protecting personal and business-sensitive information such as employee data, customer data and intellectual property. Information security does address not only external threats from cybercriminals and hackers, but also internal threats from deliberate or accidental data loss, and the risk of failing to comply with legislation such as GDPR.
Question Two: Who is responsible for information security?
Similar to the above, the usual answer is the IT Director/CIO, and in larger organisations, there may be a Chief Information Security Officer. Whereas these may be the roles that are ultimately accountable for information security, every employee has a role to play. Unless there is awareness of information security across the company and a security culture driven top-down by the leadership, any measures taken by IT will only be partly effective at mitigating risk.
Question Three: What role does the board play?
In the same way that the board sets the strategy of the business, it must also provide the direction on information security. The leadership team has a duty to fully understand the information security risks to the business and the potential impact of such risk. By doing this, it is possible to set the ‘risk appetite’ of the business and ensure that appropriate action is taken to address those areas of vulnerability that are viewed as too great for the business.
Question Four: Are you GDPR-compliant?
Any business that processes personal information of EU citizens (including employees) are required to comply with the GDPR. The legislation came into place on May 25th 2018, so by now, you should have taken a number of steps to ensure you are compliant. Have you updated privacy policies? Do you have appropriate protection in customer, supplier and employee contracts? Have you assessed the risks associated with processing personal information? Do you have the relevant consents to process this information? Unless you can answer all of these questions, and more besides, you cannot answer the question as to whether you are GDPR-compliant.
Question Five: Are you doing everything you can regarding information security?
A question that is often asked by business leaders is “Are we now secure?” Unfortunately, the answer to this question will never be yes. The reality is that there will always be risk both from the continually-evolving world of cybercrime and from internal vulnerabilities. The question should therefore be: are we appropriately addressing the threat to the business?
Information security will continue to pose significant risk to every company, and as such it has to be part of the objectives and governance of the business. It is essential that business leaders take the steps required to understand and evaluate the specific risks they face. Make information security part of the culture of the company through awareness training and take the appropriate mitigating steps to address those areas of unacceptable risk to the business.
If you want to find out more about how Conosco can help you address the risks associated with information security, visit our IT security page. If you would like to discuss your specific requirements, please reach out to us through our contact us page or by calling 0345 838 7680.