ISO 27001 compliance does not guarantee enterprise security

By : |September 2, 2015 0

Sonal Desai

MUMBAI, INDIA: Changing business paradigms are forcing the CIOs and CISOs to rethink security strategies.

Not only are enterprises embracing digital, but the dynamics of the IT organizations have also changed. With these changing dynamics, startling facts (which were hitherto) hidden in the cupboards are tumbling out.

One of them is compliance with industry standards does not guarantee enterprise security. Affirming the same, Tom Scholtz, Vice President, Research, Information Security & Privacy, Gartner, notes, “Too many organizations are trying to comply with industry standards like ISO 27001, rather than on business requirements. You can opt for industrial certifications for commercial reasons but that does not guarantee enterprise security.”

On the contrary, obtaining the certification can prove to be counterproductive, he warns. “People become lax as because they feel they are safe. Best practices can be used for guidance, but the level of detail and granularity can only be dictated by the organization.”

Changing paradigms:
Digitization is managed by business and not IT. This means that a lot of traditional security principles do not work anymore.

Security has to think differently. Compared to the three aspects earlier of confidentiality, integrity and availability (CIA), safety—the fourth aspect is of paramount importance.

Take for instance the recent General Motors breach. Versus a traditional hack where people are not physically harmed, in this case, hackers had managed to penetrate the systems, and could take people’s lives.

Similarly, a CISO of a mining company narrates that a hacker managed to penetrate the ventilation system, switched it off and thereby put the lives of hundreds of people at risk.

Security is a controlled function:
If you want to make your organization completely fool-proof, you have to stop all transactions, interactions and people access. But that is not possible because interactions, transactions and people will continue to access your enterprise network.

There is a need to integrate security components. The problem is that the technology market is fragmented and therefore organizations end up with more fragmented pieces of technology.

While the security practice has matured in India, too many organizations are focused on products to secure the enterprise. What is required is a combination of skills and technology, Scholtz suggests.

By design, security is a controlled function, and therefore, there is inherent conflict between CIOs and CISOs. Therefore, many CISOs are changing their roles and becoming facilitators, he says.

Key take-aways for CISOs:
• Focus on 10 to 20 percent of data that is critical to your organization
• Invest in technology, but focus less on frameworks
• Look at human beings as intelligent users and do not treat them like suspicious beings.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.