Cyber Security
Do I need an ISMS? yes, here’s why By David Stafford-Gaffney
As a business leader, in any vertical or industry, there are times you give more of yourself to the achievement of business outcomes, than you do to your own family. It’s not a flaw, if there is ultimately a balance, although that is another article. You work hard, you’re passionate, you want your kids or family to look up to you and what you and your partner have achieved and at times that comes at a cost. However, ultimately, you do it to make a better life and you know (or hope) it’s only for short bursts. You wear the impact of your efforts like a scar from battle, with the exhausting late nights setting strategy, the stress incurred from the tough decisions that impact people’s lives, the interstate trips away from the family, the actual delivery of the strategy and finally, the operationalisation of it, never too far away from your thoughts. You know all too well that there is still one more move to be made, the enactment of the organisational change program, to see everything through and being methodical, planned and process driven, you leverage the trusted Deming Cycle to stay on track. However, there is one thing you hadn’t planned on and as you are listening to a question at a conference on regulations surrounding privacy information, your mind starts wandering, trying to recall if this was one of the requirements you considered during the recent transformation. Your almost certain this was not a
34 | Australian Cyber Security Magazine
consideration. Imagine not considering where and how you handle customers’ Personally Identifiable Information (PII), or payment card data, or health records. Who has access to them? How is that access managed? How are the records themselves stored and transmitted? How are the assets they reside on protected and who makes decisions on changes to them? How are changes to the systems managed to minimise disruption? And ultimately, how do you preserve all of this in the event of a major adverse situation? This is not an uncommon situation and the reality is that overlooking this results in no small impact, your organisational change agenda has been announced, the strategy is in place, changes to delivery now come at a massive cost, redesign of systems, architectural changes to support new data flows and information management requirements. Worst, if you don’t have an in-house IT team, the bill is even higher as you begin to engage expensive outsourced resources. And, if you require a level of certification to attest to the levels of assurance and governance afforded to these systems, you now have yet another organisational change initiative to plan and deliver. You’re not alone, if you hear someone talk about security, cybersecurity, or hackers and think it’s a problem for your IT team, however, the reality is very different. Reputational damage suffered because of a notifiable data
