"Trust" and "security": not add-ons

Why «trust» and «security» should never be Add-ons

Article published on the supplement “Protection” of the “Tribune de Genève” and the “24 Heures” on 9 September 2020.

ISACA, the International Information Systems Governance Association, supports companies in the fight against cyber attacks. INTERVIEW SMA

The internet is a crucial tool for most companies. Unfortunately, it does not only offer possibilities but also opens up potential vulnerabilities. Especially small and mid-sized enterprises (SMEs) are often victims of cyber-attacks. The international IT-Governance Association ISACA helps companies fight this trend. We spoke to Jeff Primus, Security-Expert and ISACA-board member for Romandie, to learn how this works.

Jeff Primus, nowadays the importance of cyber-security is undisputed – also because a rising number of organizations find themselves being targeted by hackers. But what exactly does «cyber-security» imply for SMEs?

Firstly, we must look at the context in which companies currently find themselves: Boosted by accelerated global exchanges, cyber-threats are spreading rapidly, with large scale worldwide effects also grandly impacting Switzerland as a key platform of information exchanges. In such a context, Swiss SMEs should be prepared to cope with the major disruptions to the information systems caused by cyber-attacks. Failure to activate prepared solutions for such scenarios, which can harm the delivery of the products and services, can have major consequences for the enterprises’ survival. Therefore, the discipline of «Cyber-Security-Governance» is gaining more and more traction.

What does Cyber-Security-Governance entail?

It focuses on setting objectives, measures, roles and responsibilities to help to protect organization’s information systems, enabling them to bring more value while reducing the risks. For example, in the context of the current coronavirus pandemic, remote working «home office» has become the most widely implemented action to enable business continuity. In consequence, enterprises are opening more doors and vulnerabilities to enable the information flow between the corporate datacenter and remote workers. This can, however, be potentially detrimental as enterprises are mainly focused on their survival and consider security «a low priority topic». This facilitates the exponential increase of the frequency of cyber-attacks exploiting various vulnerabilities. These attacks, coupled with the capacity limits of national, regional and worldwide infrastructures are seriously shaking the fundamentals of security & privacy in terms of information confidentiality, integrity, business continuity and data protection. Cyber-Security-Governance provides companies with a toolset to address all these topics.

So, Cyber-Security-Governance is becoming one of the main building blocks for ensuring Business Continuity. How does the topic of data privacy come into play?

According to the official 2019 statistics published by the Swiss government, 99% of economic power is based on SMEs, making the vast majority of businesses highly vulnerable to cyberattacks. With the pandemic context, more than ever, the convergence of Information Security, Privacy and Business Continuity is becoming a MUST to implement, in order to reduce financial, operational, legal and reputational impacts of cyber-threats. One key to a successful realization of converged governance is to apply well-established frameworks and certifications such as COBIT, CRISC, ISO 27001, GDPR, and many more. The issue: Implementing these sometimes quite «huge» frameworks can be work- and cost-intensive. Big Companies have the power to do so, but most smaller ones do not.

The solution?

It lies in a «Light implementation approach». Simply put: By breaking huge frameworks into smaller, more easily implementable parts, SMEs can choose the most appropriate subset of measures which fit their needs. Ideally, enterprises would embrace the concept of «Security and Privacy by Design». This means that these two essential factors are being considered at the very start of application infrastructure development and acquisition. Because one of the main errors of many organizations lies in the fact that they do put in place information solutions, BUT usually forget to incorporate the privacy and security aspects from the beginning. They are then later added, almost as an afterthought or Add-on. But security and privacy should be a part of the very DNA of applications.

The COVID app of the government has re-ignited the debate on whether or not users should share their data with organizations. How can the trust of users be won?

Unfortunately, due to events such as the Swisscom Data theft from 2018, people are reluctant to trust organizations as far as the protection of their personal data is concerned, which explains why organizations need to enhance «Trust by design». How can they do that? By implementing «Security and Privacy by Design», as mentioned. By promoting these key messages, applications such as the COVID APP will be adopted by higher rates. This kind of implementation can be practised via ISACAs new cursus: «Certified Data Privacy Solutions Engineer».

Let us speak of ISACA – how does it work and how do its services help companies?

The ISACA association is a network for people who are interested and wish to develop themselves in domains such as IT governance, auditing, Cybersecurity and Risk Management. The association has been active in Switzerland for 30 years. On the one hand, ISACA promotes the exchange of knowledge, on the other hand, also offers further training and certification. The latter, in particular, is a valuable tool for employees who wish to enhance their technical and organizational expertise.

How does your own company, ACTAGIS, help clients to put the principles of ISACA into action?

ACTAGIS, as the official and exclusive partner of the ISACA Swiss Chapter in the French part of Switzerland, proposes learning and preparation classes for all ISACA certifications (also worldwide for in-house training). Active on the market for more than 25 years, in the IT Governance, Cybersecurity, Risk Management & Business Continuity domains, ACTAGIS consultants and trainers offer strong added value services (organizational and technical) to enterprises and organizations. The objective being to help them create more value for less risk and to increase their performance while reducing expenditures for their strategic projects. We also propose trainings with certifications in order to ensure the transmission of knowledge and expertise that increase the competitiveness of our customers. By doing this, we aim to be a trusted, discrete, reliable and rapidly available partner.

For further information, visit www.isaca.com et www.actagis.com