Cybersecurity: Is it a Management Challenge or Technical Issue for businesses?

Earlier today, while I was training one of the commercial banks in Nigeria on Information security management systems (ISMS), i.e. ISO 27001, we stumbled on a slide with the topic "Management Challenge or Technical Issue". When I came to that slide header, I asked the class what they felt about information security being more of a management challenge or a Technical issue. Many chose Technical issues; I do not blame them because most were from the Information Security (IS) and Information Technology (IT) Department. Only a few, or let me say 2, respondents got it right, and they were both from the risk department. I think, based on what they do, they know that management plays an important role in attaining Information security.

In other words, for us to fully understand why an organisation will spend heavily towards implementing the ISO 27001 standard, we need to understand its rationale. The simple answer to why most businesses implement ISMS is to meet their business goals or objectives. One might wonder, how do the business objective and ISMS correlate?

Well, it does not correlate in any way; however, implementing ISMS is a means to an end. That is, achieving optimal implementation and compliance with ISO 27001 will boost the reputation of such an organisation. Also, many clients will feel comfortable doing more business with a firm that is ISO 27001 compliant. Also, in the process of a firm being certified to ISMS, they tend to identify some opportunities on which the firm could build while also identifying weaknesses they could improve on. One key thing about implementing the Information security management system is that it helps the firm understands its business aspects more while also ensuring business continuity even in the event of a business disruption.

Now that we can all see why and How implementing the ISMS standard aligns with the business objective of any firm. So after the firm has recognised and established this fact, they need the management's approval and commitment to implement the standard. When the approval comes in from the Top management, the next phase is the risk/ gap assessment phase.

This phase is key, and many firms fail to recognise this, affecting the whole Information security management system. So it is vital for any firm looking to implement the ISO 27001 standard efficiently and effectively to optimise this risk assessment. This phase helps us know the asset's value that a firm uses to process or store information. Remember that an organisation's assets could come from information, data, software, systems, and even cloud service. In this phase, the vulnerability attached to an asset is recognised and the controls such a firm has put in place to ensure that these weaknesses are not being exploited. Under this phase, an organisation could easily deduce where they conform with informational security as against where they want to be. Hence this phase is important.

After this has been done, it is then necessary that some staff will be appointed as the implementation champion, and these champions are mandated to go through some security training. This information security training is to build the champions' knowledge, not necessarily how to implement the standard at go but a way to familiarize oneself with some security concepts just before the implementation starts fully. Then there is an aspect of information security awareness that all the firm staff must be engaged in.

Everything I have been saying is the introduction and the starting point of implementing ISO 27001; now, let us return to the topic's subject. All this statement above is to establish what is involved while starting an ISMS project. Yes, ISMS implementation should be treated as an organisational-wide Project.

To answer the question above, I will say information security is a management challenge and a Technical issue. It is an 80% management challenge and a 20% technical issue. The reason is simple: it will not function well without the TOP management's approval on implementing ISMS. Aside from that, implementation of ISMS is expensive as firms train staff and pay for their certification exams, and top management stills need to ensure that awareness training is done. This way, everyone n the organisation knows that the company is implementing the standard and also gives every staff an idea of what is expected of them to ensure information security.

Management plays an important role in ensuring that policies are being approved. Top management is in charge of approving processes, procedures, and manuals. They also ensure that information security roles and responsibilities are assigned to the appropriate people. The Top management also ensures adequate business continuity to continue their business even if a breach occurs. Top management is still charged with financing the purchase of assets, systems, software and hardware assets like printers and laptops.

20 per cent of the technical issues come from infrastructure, logging, managing access controls and monitoring. Those makeup for the little of the technical issues which need to be addressed to be ISMS complaints. The tools used make implementation easier and trackable. These tools also help audit the activities of the log much easier. Tools help in the implementation of the standard. Tools could also be used to encrypt data in transit, motion, in use and at rest. Tools could be set to track laptops while monitoring the network's activities.