Selecting and Adopting a Security-Standards Framework

Overcoming the Objection “Security is not important, business is.”

Table of Contents

  1. Summary
  2. Case Study Background
  3. A Workshop-led Approach
  4. Business Impact
  5. Retrospective

1. Summary

Many organizations find themselves having to address the information security demands of their clients in addition to government regulators. Losing bids for financial contracts due to a lack of security can have devastating consequences and compound the risks of a breach which can include penalties for non-compliance, harm to brand reputation, and economic damage from liability litigation.

In this business technology impact report, we review a leading organization’s effort to determine which regulatory framework to adopt and map to business results. We will refer to this company by a fictional name – Fides Ltd. They had started an internal initiative on certification but were getting caught up with details, overly burdensome policy, and procedure documentation. Only after a series of consultations and two workshops with a third-party, did they understand the positive, real-world benefits that a pragmatic security program could bring. Not just internally, but also to the client-deliverable work and bottom-line profits.

Key outcomes from the workshop and consultancy work were:

  • Internal efforts at accomplishing information security certification can potentially hinder business efforts if not launched correctly.
  • Security initiatives require senior-level support to succeed.
  • Understanding the culture, goals, and values of an organization is equally important to an information security initiative’s success as it ensures senior-level support and understanding, sufficient funding, and aligns the security initiatives to the business.
  • Assigning clear metrics to the broader information security program ensures implementation will be effective and successful.
  • Senior management must have an evident understanding of measuring and treating information security risks to ensure they understand the principles the certification program is operating under.

As a result, Fides was able to implement the ANSI ISO 27001:2013 standard across the organization. In this report we look at the steps involved, and the key lessons learned in how to select and adopt a security standards framework.