In a Prime Ministerial briefing by NZ intelligence agencies in 2015 the loss of information and data from a cyber attack has been rated the second highest threat to NZ with economic and reputational risks.
‘Information Security’ is broader than ‘Cyber Security’. The cyber threat is real and growing but it is only a part of the story. After a dispassionate threat assessment you may find that your greatest risk is not the lone pony-tailed offshore hacker, or state sponsored cyber intrusion. It may be your untested disaster recovery capability, or privileged password sharing within your own IT team, or your insufficiently secure off-site paper records storage facility.
Information Security is a necessary evil – we would all rather not have to do it. It is an emotive issue and a potentially bottomless pit for resources. Hoping it will go away, or appearing to do the minimum necessary to keep the auditors happy won’t save your reputation and your business when you have a major and avoidable information security incident.
It is easy to spend too much time and money on cyber security. The cyber security industry has a vested interest in winding you up. Equally, it is easy not to do enough for your Information Security and hope that there will not be a major incident during your tenure. What is enough depends on your current threat environment and your particular risk profile. Cost-effective Information Security is explicitly and rigorously risk-driven.
What are appropriate Information Security measures for a given risk-profile is a moving target. Over time the target of what is reasonable will move with the generic threat profile, with ever-changing and increasingly inter-connected ICT, and with developing Information Security measures and tools.
Today, in the public sector in Aotearoa-New Zealand if you can demonstrate that you are substantially compliant with the Protective Security Requirements (PSR) and the New Zealand Information Security Manual (NZISM) for any given level of security classification you are doing what Cabinet considers to be reasonable. The NZISM has been and will continue to be updated periodically, and we can expect the reasonableness bar to rise over time.
In some parts of the private sector, such as the banking sector, the Information Security bar is set much higher.
Substantial compliance with the PSR and the NZISM does not guarantee that you will not suffer a major Information Security incident, but it does mean that you have been front-footing it, and it will allow you to respond to a major incident calmly and with credibility – to the media, to your customers, and to your stakeholders. Not being prepared and compliant will significantly damage your reputation and carries the risk of your significant over-reaction and over-spending after a major Information Security incident.
Privacy and confidentiality protection is a dimension of Information Security. But in the eagerness to protect individual breaches of privacy or of classified information we should not forget that an Information Security breach can also take down your critical systems in their entirety. Azimuth Consulting will ensure the macro is not lost in the micro.
In the cyber jungle that we all live in our customers and partners expect us to have robust Information Security. To provide our customers with the pretty and easy mobile interfaces they expect those interfaces must be secure enough. To avoid creating back office headaches, your mobile front ends need to be integrated securely with your legacy back-end processes and systems.
Azimuth Consulting will work with you over the long term to ensure you have reasonable, current, integrated, and risk-driven Information Security measures in place.