When we say We need to be more secure in cyberland, does that mean small business needs to change what they do to be more secure?
ISACA says we need governance:
Governance and management for Enterprise business should use the COBIT 5 principles
- Principle 1: Meet stakeholder needs
- Principle 2: Covering the enterprise from end-to-end
- Principle 3: Applying single integrated framework
- Principle 4: Enabling a holistic approach
- Principle 5: Separating governance from management
The COBIT framework ‘simplified’ means for the business to drive “cybersecurity”. I.e. if you need to sell widgets on the Internet you have to have cybersecurity on the Internet with credit card processing then that is what you have to say: ” We have to protect our systems to sell our products and stay in business”.
The conversation cannot start with ” I need security more than sales” because we know how that conversation ends. In fact the Cybersecurity person needs to say we facilitate sales, and make sure they are done safely. We take care of government compliance.
Besides some good sound bites, the hard work of creating a truly secure organization is to set up a framework of weighing risks versus threats and impact.
A methodology must be used instead of just telling your IT department “keep us as secure as possible” ok?
What consistent methods do we need to operate to make Cybersecurity for companies work effectively for the stakeholder?
I listed the 5 principles of COBIT, and one of the most important piece of one of the principles is to assess risk (likelihood * impact) for each computer and IT device in your company.
An Audit has to be performed where all the pieces of the network and computer systems for the business needs are cataloged and rated for importance and weaknesses.
Once this inventory has been created a Risk analysis with expenditure of money has to be accumulated and reviewed with the stakeholders.
The process of reporting is also important, how to report and whom to report to.
Principle 5: separating governance from management has it’s reasons. The IT department must be overseen and directed by a governing body. If you want to discover these details get an audit from an ISACA Auditor and get on the path to become more secure within your business needs and requirements.
Contact us to audit your business