Recently, DNV carried out a survey involving almost a thousand professionals in companies around the globe seeking their views on information security management. A similar exercise had been done in 2015. Thus, it was possible to analyse how organisations may have changed their view over time and understand initiatives and attitudes to best practices and system building.
Over the intervening six years, it is obvious that there is a progressive shift toward improved information security maturity. Even so, less than half of the sample viewed their company as mature (4) or a leader (5) on a 5-point scale. Those that considered themselves a leader had almost doubled since the first survey but represented just one in eight of all organisations surveyed. The slight increase only may come down to an increased focus and better understanding of the risks involved.
The behavioral shift
Another change is the shift toward more behavioral-based investments. Out of the initiatives organisations indicate to have taken to mitigate risk, respondents put the following three at the top:
- Having appropriate personnel to manage information security within the organization (64.9%)
- Having an information security policy approved by top management (57.5%)
- Providing information security training to staff (56%)
This shows a clear preference to invest in people and improve their skills. This was not as evident in the earlier survey when physical assets and equipment topped the list. The focus on people is likely to bring results as in most cases a cyberattack relies on an individual inadvertently making a wrong choice of action. Consider that the period between the surveys included the years when the COVID pandemic changed dramatically the way people and organisations work and interconnect. It would be expected that organisations are now far more aware of information, data and cyber risks and incidents than before.
It is noticeable that companies with a certified information security management system are more sensitive and responsive to changes happening around them. Close to 80% say they have either completed or partly completed an alignment process to fit the new digital environment. Asked which of four options – integrate security systems, staff training, regular testing or automated cyber security practices – was most relevant to treating new risks arising from digital transformation, staff training was again at the top, considered the most relevant by 33.1% of the certified companies and 25.9% of those non-certified.
Out of the organisations with a certified information management systems, three quarters have wholly or partially moved their IT infrastructure to the cloud. This does bring additional risks but one in three of have also adopted the ISO 27017 standard or other code of practices for cloud service information security controls.
Complete security model catching on
“Zero Trust” is a new security model continuously verifying the trustworthiness of every device, user and application, i. e. “you don’t trust anybody and you need to verify everybody”. This is a new approach to security that is catching on. Companies with a certified information security management system seem to be embracing the “Zero Trust” model to a higher degree. One in three have implemented or are moving in this direction.
When it comes to the trends most impacting cybersecurity, top of the list is the increasing use of mobile devices followed by innovative technologies. Mobile devices are something that seems to be an integral part of modern-day life whether it be in the form of smart phones and tablets.
The rise of the Internet of Things (IoT) is also mentioned, an often overlooked risk. Items such as printers, being constantly connected to company networks and the internet, may seem trivial. But with their firmware updated automatically, for example, these could be a possible entry point as well.
Guarding against supplier risks
While it is important to be on guard against direct attacks, often the threat is imported from what are considered safe sources such as a suppliers of goods and services. The three most usual means of addressing and protecting information security/cyber security risks when buying from suppliers are:
- Document-based qualification
- Verification and testing of purchased goods and materials
- Request for third party certifications
Certified companies are more likely to rely on third party certification to protect themselves from supplier information, data and cyber security risks. This is most likely due to awareness about the requirements and controls imposed by standards like ISO/IEC 27001. More to the point, the organisation itself may be a supplier to other businesses and so are expected to provide proof of sound information security management
In fact, the top three benefits of implementing a certified information security management system ranked by respondents were listed as:
- Customer satisfaction/meet customer needs
- Information security performance improvement
- Ability to meet legal requirements
These are closely followed by “Improve identification/management of risks” and “providing a competitive advantage”. This underscores the important link between managing risks and business success.
The fast-transforming digital environment – from accelerated adoption of cloud and automation services, cybersecurity and privacy risks to malware and ransomware threats – has created an urgency among companies to keep information and data secure. Companies that are certified to best-practice standards such as ISO/IEC 27001 seem to have a benefit in understanding the risk picture and deploying mitigating actions.
References: Espresso survey (November 2021), “How are companies tackling enterprise risk? Information security.”