In an age when Information Security is central to effective business operations and market reputation, we look at why some businesses prefer to prevaricate than protect.
From shoring up regulatory compliance to implementing key cyber security protocols, Information Security Management Systems, or ISMS for short, have become an integral part of day to day business operations strategy.
Across the globe, more and more organisations are becoming certified in ISO 27001, and while getting any system implementation right is paramount to any business, it is fair to say that seamless execution is even more of a priority for businesses that traditionally manage their IT in-house.
Yes, there will be minor hurdles to clear along the way – assigning the correct personnel to manage and work through the project, correctly interpreting the standard’s requirements, allocating operational downtime for certain technical or process changes, etc. But, there are challenges in every walk of life, and especially when rolling out any change process. The key is not to let information security-specific issues be the food for prevarication when it comes to planning your ISMS implementation.
Plan A – People
One of the first steps in any project is to form a team, and assigning members to an implementation team is no different.
Typically, these teams consist of personnel from across different all business units. These ‘stakeholders’ are then responsible for the successful delivery of the project, and full roll-out of the management system. While many large organisations might have the bandwidth to assign these roles on a short-term, full-time basis, buying in employee engagement can often be a struggle for more small to medium sized businesses. Their personnel will have to take on these responsibilities in addition to their day-to-day duties, and therein lies the challenge!
Effective planning combined with choosing the right persons for the job, is the key to a smooth implementation. Nothing says disaster more than assigning key roles to unsuitable or unwilling personnel. By carefully assigning each project role to the person most qualified, culturally suited, and experienced to take it on, the battle will be halved before it’s begun.
Time management strategies, clearly defined roles and assigned tasks, and unambiguous, ‘plain-talking’ and inclusive communications will strengthen project management, ensuring your implementation stays within agreed timelines and budget.
Plan B – Leadership
Directive leadership is crucial to overcoming employee push-back.
By reinforcing the crucial importance of an ISMS and instilling a sense of urgency vis a vis organisational strategy towards regulatory compliance and client security, senior management can positively influence dissenters.
In highlighting the ‘real-world’ value-add of on ISMS and the significance of Information Security (IS) to cross-divisional function, leadership can ensure early staff buy in.
This can be achieved through:
- Clarity of IS responsibilities when agreeing employee job function
- Setting measurable IS objectives with defined responsibilities and deadlines
- Nominating dedicated IS evangelists within business line
Plan C – Ownership
There a common misconception that smaller businesses are less impacted by information security than larger corporations or government agencies such as Eirgrid and the HSE, both of whom have been targeted by hackers.
Yet, recent surveys show that more than half of ALL businesses have fallen victim to a cyber attack. Worryingly, many of these attacks are never reported – a ‘risky business’ – meaning statistics could potentially be much higher. Businesses, right down to each individual employee, need to take ‘total ownership’ of information security. This requires complete employee ‘buy-in’.
Securing total employee buy-in and ensuring that IS processes and procedures are taken seriously, will help mitigate against this ‘risky business’ ethos.
Possible steps to be considered are:
- Mandatory training and awareness sessions for all personnel
- Functional testing by way of security drills followed by ‘lessons learned’
- Continuous risk assessment – measure and monitor
Plan D – Time
In these busy times, many of us have to work to tight deadlines. Our days are already filled with countless meetings, conference calls, lunch-and-learn session, and endless to-do lists. So getting staff on-board to take on additional responsibilities can be quite a challenge.
By contextualising situations, management can help their employees to both understand and buy into new processes. In addition, scheduling ‘dummy runs’ of hypothetical but very real scenarios can also help create even more of an impact.
Actions that might encourage on-boarding are:
- Compare and contrast reactive remediation and proactive adoption by contextualising them
- Encourage active participation by personnel in the development of new processes and sign off on a manageable workload; people are more susceptible to change if they are engaged with process from an early stage
- Detail the cost and risk implications to the organisation with the occurrance of an IS breach.
Plan E – Focus
No matter its size, shape or sector, an organisation moving to implement ISO 27001 will face some sort of challenge(s). What is critical though is how these impediments are viewed and overcome.
Our top-tip for any business thinking about implementing an ISMS and getting ISO 27001 certified, is this.
Ensure all personnel fully comprehend the importance of information security management, are on board with the resultant changes to the business, and stay fully focussed throughout the duration of the project, and beyond.
This will make for a less bumpy road to implementation.
For more details on Information Security management or to discuss getting ISO 27001 certified, contact 01 – 620 4121 to chat with one of our team.
