CYBERSECURITY AND CERTIFICATION - FALSE MYTHS AND VALUE CREATION

Today, any digital transformation programme must integrate a robust cyber security component that meets recognised certification standards such as ISO 27001, NIST, TISAX or others. These certifications, increasingly demanded as minimum requirement to participate in competitions involving the exchange of information, are often misunderstood in their essence. They are commonly seen as key elements of security, almost an invincible shield against external cyber dangers. But is this really the case?

Before answering this question and dispelling some false myths, it is useful to reflect on what a cybersecurity programme really means and what obtaining an Information Security Management System (ISMS) certification entails. First of all, a cybersecurity programme focuses on protecting information and related IT management systems from the risks of cyber attacks. On the other hand, a security certification represents a formal declaration by an accredited third party that an organisation or one of its parts has met the requirements defined within a standard. Obviously, these are two interconnected topics but with separate implications, both important. A simple comparison would be like taking a degree course at university and then proceeding to the final degree examination. In order to gain the knowledge derived from the degree course, it is not necessary to pass the final degree examination, just as passing the final degree examination does not necessarily imply having fully understood all the topics covered during the degree course. It is clear, however, that attending a degree course without passing the final degree examination or trying to obtain a degree without having acquired the necessary skills are unlikely or sub-optimal situations.

Clarified this, it is important to dispel some common myths about IT security and related certifications, such as the well-known ISO 27001:

1. ISMS certification (e.g. ISO 27001) guarantees immunity from hacker attacks and total cybersecurity: This is a myth. Certification of a computer security system implies that the system has been built and functions in accordance with the defined standards. However, no computer system is completely invulnerable to attacks.

2. System security certification is very expensive: This is also a myth. Certainly, obtaining certification entails costs, which may vary depending on various factors such as the size of the company, the complexity of the system, the sector it belongs to, and the consultants involved in the implementation. However, it is important to note that the costs of certification are often relatively small compared to the overall cost of an effective security programme.

3. Once ISO 27001 certification has been obtained, the job is done: This is not entirely true. Although obtaining the certification requires considerable effort within the organisation, the IT security journey continues even after certification is achieved. The ISO 27001 standard, like many others, provides for a continuous improvement process and requires periodic audits. This involves planning internal audits, assessing and managing risks, implementing technical IT changes, delivering training course and more. In other words, to maintain certification and its benefits, a series of activities must be planned and implemented even after obtaining the certificate. It is acknowledged that obtaining a globally recognised security certification brings concrete benefits and creates value for the company, especially from an information security perspective. A security certification provides a well-defined framework for addressing and mitigating information security risks. It also reduces not only the likelihood of incidents, but also the actual or potential costs associated with an IT incident.

In the market context, a security certification can be a competitive advantage, improving corporate reputation and customer confidence. In some cases, it can even open the door to new business opportunities.

In other words, a security certification not only attests to the results of the cybersecurity programme but also creates tangible value for the company.

As for IT security certifications, there are some false myths about IT security programmes that it is essential to dispel:

1. IT security is the responsibility of the IT department: This is a serious misunderstanding. Many of today's IT incidents are the result of human error or inappropriate behaviour by non-IT personnel. IT security is the responsibility of all employees at all levels. Everyone has to be aware of the risks and adopt behaviour and measures to avoid them.

2. IT security is only achieved through technological measures: This statement is rather limited. To achieve IT security, both technological and organisational measures are required, such as employee training and risk management.

3. Small and medium-sized enterprises are not targets for hackers: This is definitely false. Cyber attacks are widespread and can affect both large and small enterprises. Small and medium-sized enterprises are often considered more vulnerable targets. Leading security agencies in Europe, such as ENISA, show an increase in the complexity and number of cyber attacks, regardless of company size.

The truth is that there are many benefits to a cyber security programme, which today is a cornerstone of any company's digital strategy. First and foremost, a security programme helps protect all of the company's sensitive information, including financial data, personal data and confidential intellectual property information such as trade secrets, new investment plans and undisclosed discoveries. In addition, a security programme significantly reduces the risk of cyber attacks of various kinds, such as ransomware and data theft, which can result in significant costs.Finally, such programmes have a positive impact on a company's reputation. I believe that it is worth recognising that an IT security certification is a crucial step that fully complements a computer security programme.

The real challenge is to determine the level of investment for IT security in order to create value for the company.

How much to invest in cybersecurity?

Of course, there is not a one size fit all or a predefined logic to answer, but certain methodologies can be applied. The simplest method is to carry out financial evaluations, using indicators such as NPV (Net Present Value) or IRR (Internal Rate of Return), which assess the costs and benefits of security investments. Estimating the benefits involves assessing the potential losses in the event of a cyber attack, multiplied by the probability of such an event. An alternative method is the one proposed by Gordon and Loeb in 2002 who suggested an approach based on the segmentation of the value of information assets, suggesting that the security budget should not exceed 37% of the value of the potential data loss in the event of a cyber attack. In addition to financial assessments, it is essential that companies, especially at the beginning of their security journey, establish a minimum level of protection and invest the available budget in that direction.

Implementing ISO27001: a real case Drawing from my experience there is no single path to starting a cyber security programme or making the decision to invest in cyber protection measures. The case I am proud to talk about is the result of the work of a highly inspired management team. From the very beginning, the team chose to invest and sustain a path of stability that gradually led to the development of a solid cybersecurity programme. Once the cybersecurity programme was up and running and we had achieved concrete results, we noticed a growing demand from customers from different sectors. These clients started inserting cybersecurity requirements as a key elements in the awarding of new orders. In particular, some customers requested certification plans and set deadlines beyond which the lack of certification would result in exclusion from new tenders. Faced with these market demands, as well as the internal benefits generated by certification, we made the decision to obtain ISO 27001 certification, a universally recognised standard. The process started with the selection of a partner experienced in the standard and a certification body.

The first important step was to conduct a formal assessment to understand the gaps and define a work plan to achieve certification. The preparation to reach the ISO 27001 standard involved a large multidisciplinary team, consisting mainly of IT resources, but also HR resources, the quality team and administrative resources, supported in some cases by legal advisors. This effort was led by the CIO, CISO, the IT leadership team and supervised by a qualified PM with extensive experience in IT project management. A key aspect throughout the process was the adoption of an application to record progress and facilitate the implementation of new practices, particularly in risk management. The software helped to build a continuous process of risk registration, verification and evaluation. In particular, the formalisation of risk treatment actions (such as acceptance, exclusion, mitigation, etc.) supported by the system was crucial to guide the organization and fully adhere to fundamental aspect of the ISO27001 standard.

The project culminated with a few internal audits led by external professionals, that helped to simulate a real audit and to understand potential improvements or even non-conformities with the standard. The final audit, which involved key members of the team, including the CISO, allowed the intensive preparation work to be put to good use, leading to the long-awaited certification. This result was not only an achievement, but also the beginning of a journey that allowed the entire organisation to grow significantly and manage security in more comprehensive and structured way.

Key learnings

In the end I would like to leave here my lessons learned, should this help other in the same path:

- Management consensus is critical to sponsoring and supporting the implementation and certification of a security programme. Make sure you bring the decision to the highest company level, e.g. board level, and expose it as a critical risk to ensure business stability and continuity.

- Before embarking in a certification project such as ISO27001 make sure that you already have a quality management system in place, and in particular a document management system.

- Certification serves as a formal verification of the security system. Without a pre-existing IT security system developing it concurrently with the certification process can be quite challenging.

- The team is fundamental and it is a critical factor for success. It is vital to ensure a blend of IT experts from all areas of information systems (support, projects, network and security, applications, infrastructure, end users, etc.) and quality experts, specificalized in ISO27001 along with right advisors.

- The choice of the partner accompanying you in the certification is just as important as the choice of the certification body. Choose qualified partners such as advisors and certification bodies recognised and qualified by well-known accreditation bodies. Keep the two roles separates and keep direct contact with the certification body. Avoid conflict of interest.

- The role of the Project Manager (PM) is crucial: it is very important to have a PM experienced in security certification. He/she can play a critical role in coordinating the efforts of the various sub-teams.

- Appoint a Chief Information Security Officer (CISO) and ensure that he/ she is an active part of the project. During the final audit it is essential to have him/her present (or to appoint a delegate). - When preparing for certification use all resources and especially use the written norm constantly Make sure you fully understand the certification scheme and its requirements.

- Internal audits and management review meetings are crucial for achieving certification: they are review and communication tools that allow you to measure the degree of readiness for certification.

- Use a software to track your progress, to make sure you fulfill all standard requirements

- Make risk management a daily habit, employing a system to track risks assigned to various stakeholders and to regularly review them alongside mitigation actions or risk treatment plans

- The objectives of the information security system must be well discussed and agreed.

Finally two interesting freely available articles for the ones who managed to read this far:

“Building an effective cybersecurity training program ” May 25, 2023 article by D. Updyke published by Harvard Business Review

“Securing your organization by recruiting, hiring and retaining cybersecurity talent to reduce cyberrisk” June 29, 2022 article by V.Anant, M.Glynn, J.Greis, N.Kostorus, I. Kristensen, C. Lewis, L. Santos published by Mc Kinsey & Company