Dejan Kosutic Every time I speak to someone about cybersecurity I hear rather different definitions about what it actually is – but at least the general idea is pretty much the same. However, when it comes to the question on how to achieve it, opinions differ sharply.
This topic has become so hot lately that even President Obama dedicated a speech to it in 2009 (I must admit, the best explanation on cybersecurity I’ve ever heard).
Cybersecurity definition
So what is cybersecurity? I think this short definition from Techtarget.com is the most appropriate: ”Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access.”
Just to note here – cybersecurity is not exactly the same thing as information security. Information security is a discipline that doesn’t take care only of digital information, but also of information in other media – paper documents, etc. Therefore, cybersecurity is a subset of information security, although in today’s world cybersecurity takes up a major part of information security.
How can cybersecurity be important to you? Can you imagine doing your business without IT infrastructure? Your most sensitive information is (most probably) archived on your IT systems – what would happen if they were compromised? How would you communicate with your clients without e-mail, website or phone?
One could argue that nowadays the companies are all about information – although I do not agree completely with that statement, it does show the reliance of modern organizations on information. Information that is primarily stored in digital form.
Connection with ISO 27001
Reading the above definition, cybersecurity is all about policies, procedures, processes, applying technology in a secure way, etc.
When thinking about this, the first thing that comes to mind is – it sounds complex! Is it really possible to carry out all that is required, and not to forget something? I would say it is, but you need to find a framework to achieve such a comprehensive task. ISO 27001, a leading international standard that defines how to manage information security, is emerging lately as the leading framework to protect your digital assets. It is already very popular in Europe and East Asia, and is gaining more and more popularity in North and South America.
Click here to read about the basics of ISO 27001.
The pros and cons of using ISO 27001 as a cybersecurity framework
I may be subjective about the importance of ISO 27001, but let’s take a look at how this standard can help you with regard to cybersecurity:
- First of all, the standard forces you to think comprehensively, so that you wouldn’t forget some important element of your information security / cyber security protection.
- The philosophy of ISO 27001 is based on risk assessment – in such a way it allows not only to customize the protection of information security according to the needs of each particular organization, but it also allows to focus on the most important issues. By the way, risks management is becoming more and more prevalent in managing not only financial institutions, but all kinds of for-profit and non-profit organizations.
- The standard recognizes that emphasis only on technology wouldn’t solve the problem, so it focuses on how to manage the relationship between the organization (processes, structure, policies, etc.), the people (employees, vendors, etc.) and the technology.
- A large portion of information security legislation in many countries is based on ISO 27001 – that means you can use this standard for resolving compliance issues.
- ISO 27001 is the only international information security standard against which an organization can get certified, proving to third parties that it is compliant.
There are negative sides to ISO 27001, of course. The primary concern, especially among IT professionals, is that this standard doesn’t offer any guidelines on how to implement certain technology. This lack of technical detail is due to the intention of the standard – to serve as a framework within which an organization can choose the most appropriate technology.
But for the technological details you can use other standards – like ISO 27002 (guidelines for the implementation of security controls), or NIST Special Publications (800 Series). The good thing about ISO 27001 is that it tells you where to start from, and when to use other standards for particular technology.
The next step
Of course, ISO 27001 is not the only framework you can use to implement cybersecurity – but you must choose a framework because otherwise you will be left with a headache about where to start from and what to take into account.
So when President Obama said ”cyber threat is one of the most serious economic and national security challenges we face as a nation“, you are lucky if you don’t have to take care of the cybersecurity of a whole nation. But you do have to take care of your company’s sensitive information, or at least of your personal information. And you need to find the way to do it.
For a better understanding of how to handle cybersecurity, see this free eBook: 9 Steps to Cybersecurity.
