Nearly 60% of IT security professionals expect to experience a security breach within the next year, according to research conducted with 1,000 participants by Ponemon institute.1
A further 81% of those believe that if the right investments in people, process and technologies were in place, their organisations would be better equipped to mitigate future security breaches.
ISO 27001 asserts the importance of a risk-based approach to information security, and supports the importance of a holistic methodology that encompasses people, process and technology. Information security, however, is part of a deeply embedded internal conflict between the need for an organisation to be flexible, innovative and lean on one hand, and to control risk on the other hand.
It is proven that investing in information security helps to standardise processes, reduce data breaches and associated costs, build credibility, meet compliance and regulatory requirements, and ensure a future-proof business environment. Business inertia about information security, however, and a lack of knowledge about the real risks, means that making that critical investment in information security rarely comes to fruition.
Information security professionals will readily point out that more needs to be done to convince businesses of the importance of information security. Making information security a regular topic of discussion in the boardroom is still a far cry from the reality we would like to believe businesses are adapting. Only 20% of respondents say that they frequently communicate with executive management about potential cyber attacks or threats to the organisation.
Information security is both a technical discipline and a risk discipline that must fit into corporate governance and risk management, as well as IT structures.
Getting management to pay more attention, and to allocate the appropriate budget for combatting threats to information security, will remain the real challenge for some time to come.
Implementing an information security management system will deliver tangible business benefits that can be used to demonstrate the need for prioritising further investment into other information security projects.
vsRisk™ can help you identify and translate information security risks into meaningful reports that can be presented to your board, enabling you to build a better business case for further investment in information security.
The Risk Treatment Plan is a clear summary of all the risks identified, the risk responses that have been taken to mitigate or manage the risks, the corresponding controls, and the risk owner responsible for those risks.
The Risk Assessment Report presents a summary of the status of each risk, highlighting whether the risk response is acceptable according to the company’s risk acceptance criteria and whether any further action is required.
Below is a brief glimpse of some of the reports that can be found in vsRisk:
Risk Treatment Plan:
Risk Assessment Report:
1 Cyber Security Incident Response: Are we as prepared as we think?