At the end of last year I had the privilege of working with a company around their information security. They successfully achieved their ISO 27001 certification. For a relatively small business that was an enormous effort.

One of the key reasons they were able to get certified is they realised that Information Security was a problem the entire business needed to attack.

The senior management lead the project. They spearheaded the conversation, they set the challenge to the company to take Information Security seriously. They understood the problem and helped everyone in realise that every employee was a part of securing data in the business.

The general manager personally ran information sessions about data classifications, what they were, how they were to be used.

Sure, the IT team was integral to the process. They helped advise on process and assisted in writing policies and getting systems into line. IT stood hand in hand with the senior management team and the other business groups to make sure this transformation happened.

When I saw this I was blown away.

If you try and attack this problem any other way, it’s not going to be truly successful. Sure, you may have compliance requirements that IT could bust their butts getting the house into order. It may pass an initial external audit. But sooner or later without an entire company backing real security process and procedure, there’s a ticking clock counting down the days till a data breach or a hack or a malicious virus seriously crippling your business.

Information Security is a business problem, not an IT problem. In 2019 we have CIOs, CTOs and we have Chief Data Officers. Companies have more information/data than they know what to do with. And not just any data, they have client information, names, addresses, birthdays, financial data, medical information, employee data.

In a lot of these cases business and especially owners have large legal responsibilities, let alone ethical responsibilities to ensure this data is safe.

If this makes you a little nervous, then make 2019 the year you get serious about information security.

In my view there’s 3 steps in the process.

The first step is confession.

Find your IT guy*, repeat after me:

“Forgive me sys admin, it has be ____ days/months/years since I’ve seriously considered our businesses Information Security.”

Hopefully they are a compassionate Sys Admin and will forgive you of your sins of omission. They may fall off their chair in shock, but give them a minute, proper conversation should ensue.

The second step is penance.

Talk is cheap, actual work is required. This is when the business needs to get involved. IT is at the table, and may have lots of input but they are just one representative. Collectively you need to work on the following:

• identifying and classifying your data.
• create controls and policies around how things are classified, stored, accessed and archived
• define how you track breaches of these controls, your change management
• define who has access to systems and data
• who decides who gets access etc.

The third step is reconciliation.

This step the final step. Take your hard working team out for drinks and don’t forget your IT guys. Sure we might be a little awkward, a little overly excited to be invited out, but don’t dissuade our keen spirit.

*if you can’t find an IT guy near by, talk to us, we are certified as compassionate and understanding.