So, let’s take a look at where cyber security certifications are going and their place within small medium sized business.
I’m a big fan of James and I have followed him for a very long time. So, it was an absolute pleasure when he offered to allow me to do a blog on his prestigious COFFEEFUELED blog. Looking for topics, it got me to thinking about lots of discussions that I have with people in industry that say certifications won’t stop you getting hacked, certifications won’t make you anymore secure, and generally there is a feeling that certifications aren’t part of the cyber security landscape but are a necessary evil.
To some extent I do agree with them having a certification will not stop you getting hacked or make you secure but, if done right, it is a consequence of having them that you will reduce the risk.
It’s very very easy to tackle certifications on the premise that you just want to tick a box and get that certification. It also relatively easy to do it. That’s for another blog.
The first thing to do really is to work out why you are going for a certification and where that certification fits in your strategy. Now let’s be honest, 99% of the time, certification is driven by customer requirement and customer need and companies are only going for certification because their customers are asking for it. Hence certifications will make you richer.
But it doesn’t have to end there. You can go about certifications in the right way, and it will have a knock-on impact and a positive impact on your overall security posture. Certification is not there to tell professionals who know what they’re doing how to do their job and at no point would a certification do that. It highly relies on the skillsets of the people that are already in your business.
But what it does do is enhances skills, knowledge and experience with the management structure and governance and management framework that allows us to put in some common operating models that have been proven to reduce risk and increase overall security.
It can only be seen that certifications are going to become more and more important as we move forward into 2022 and 2023. And the reason for that is that the security of the supply chain is one of the most significant risks to any organisation. The risk that your suppliers are not doing the right thing or don’t have adequate security in place. So, this shifts the conversation from the security of your organisation and the certification necessarily addressing your security requirements, but it moves it to ensuring that suppliers that supply products and services to you are themselves secure.
Now the way that you’re going to do that is either going to do an audit of that company and spend valuable time and resources to check that they are doing things to a level that you are happy and comfortable with or as is more and more the case you’re going to ask them for a certificate. The reason that you are asking for a certificate is a certification means that somebody else who is highly qualified and experienced in conducting audits has done the work for you.
You can see therefore that the unintended consequence of that is that the people that you do business with are now wanting to secure their supply chains and they’re going to be asking the same questions of you. Are you certified?
We can have a debate about the value of the various certifications from cyber essentials, cyber essentials plus, ISO 27001, SOC 2 … and the list goes on. But they all have their place and provide assurances back to customers that we’re doing the right thing for information security.
I don’t see certifications going away any time soon.
Stuart Barker is an ISO 27001 practitioner at High Table. He has been in information security for over 20 years. Today he is making information security templates available to business to help them do certifications themselves.