Why Do We Do Cybersecurity?
While this question could descend into idle navel-gazing, it's one we regularly ask at Fresh Security. The answers are pretty predictable:
- It's the right thing to do - "You're always going to pay for security… the question is whether that's before or after a breach."
- We've been breached. We need to clean up and do better.
- We want to reduce our cyber insurance premiums.
- We got a security questionnaire, and we need to close this deal.
There are many motivations. All of which lead to undertaking the non-trivial effort of becoming more secure. That's great, but how do you communicate that effort to your customers, partners and suppliers. How do you say - "We care and have implemented security."?
I've previously written about using certification as a communication tool, and that's the answer.
Why is Security Certification Valuable?
When I plugged this phrase into Google, I found endless articles best summarised as... They help you avoid bad things. And help you become more profitable… by avoiding bad things.
I was unimpressed.
So here are my 6 reasons security certifications are valuable…
- They help you avoid fines. With GDPR and industry-specific compliance requirements, the risk of receiving a penalty is real. So, as long as the compliance cost is less than the cost of a fine, there's a rational economic reason to implement security.
- Build trust and reputation with customers and partners. Privacy and security are increasingly known and prioritised by consumers. As shown by Google's move to stop third-party tracking cookies and Apple's enhanced privacy and anti-tracking features. A security certification addresses this trend by demonstrating that your company has implemented safeguards to protect their customer data.
- Supports accountability. Every security certification has a foundation in access controls - who can access what? By monitoring and restricting access to sensitive data, "It wasn't me." is no longer an option. Mistakes are acknowledged, and malicious actions can be addressed.
- It results in increased IT operational professionalism. Some things are externally observable - like using vulnerable software on a website. In an unstructured, chaotic IT team, the questions "Who's job is it?" and "How do we fix it?" come thick and fast… not fun. However, security processes and structures derived from certification requirements provide order and consistency.
- Certification enhances company culture. I think companies have good cultures when the work is predictable and not chaotic. It's an added bonus when people are held accountable for their actions, and building trust is a crucial component of everyday work.
- Brings IT into more discussions. IT can be seen as an oddball backwater in the basement 👋 IT Crowd to be ignored. Or an integral part of a business that needs to be brought into decisions. The difference is down to the amount of value IT brings to the conversation. Building trust with customers, ensuring accountability and enhancing culture are all great reasons for IT to be brought into the conversation.
Which Certification / Communication Tool?
There are industry-specific certifications - which are usually a cost of entry. You can't take and process card payments without PCI certifications. But for more general security certifications, I would suggest there are three to consider. Each has benefits.
- Cyber Essentials: It's UK-centric and required if you want to work with the UK government. But it is absolutely the essentials and no more. That said, it's not trivial to achieve. You will need a good handle on your IT system, and some of the expected security mechanisms can feel a little… forced.
- SOC 2: It's well received in the US and known elsewhere. Covering the fundamentals of: protecting personal information, safeguarding client data, maintaining systems, protecting systems against attacks, and reducing process errors. It has the flexibility to adapt to any company - however, it's more work than Cyber Essentials.
- ISO-27001: The gold standard for security certification. This internationally recognised certification acknowledges the serious effort required. It can be abused by creating an artificially narrow scope, but this is the marquee security certification for a reason.
So, while the motivation to implement security comes from different triggers, it's the ability to communicate what you have done that derives value for your business, customers, and partners. The certificate you choose depends both on where your customers (audience) are and the amount of effort you can afford.
In next week's newsletter, I'll explain what is required for an ISO-27001 certification.