Cyber security is top of mind for many organizations, but most of them question the benefits of getting certified. Lately, there’s a lot of discussion and marketing effort centered around a wide range of cyber security certifications. The point is not the certification, but rather the process of operationalizing security within your organization that’s valuable.
The certification process against a security standard will help your staff migrate from ad-hoc security activities to holistic and ongoing operational practices that are visible internally and externally.
Internally, cyber security certification keeps security operations and practices top of mind for all staff, not only the IT team. Therefore, security is the responsibility of the entire organization. The process of getting certified enforces good practices and reduces risks by:
- Regulating review and assessment of security practices
- Prioritizing security for management, IT, and operations staff
- Enforcing regular business and operations processes
- Managing the risk instead of reacting to fires
Externally, a cyber security certification communicates to your customers, suppliers, and the entire business ecosystem that you take cyber security seriously. Many organizations have started to require minimum security operations benchmarks as part of their business contracts. This trend is expanding, so more businesses will follow suit.
The next question I get asked often is, which certification framework should my business use? Since a cyber security certification isn’t a one and done type of thing, the key is to pick one that fits your business operations, scale, and sector. Most certifications are based on the same guiding principles of cyber security, and it’s important to pick one that’s expected and respected in your business sector. There are many to choose from, but the following name a few:
- ISO 27001/2 – internationally accepted
- NIST 800-53 – popular in the financial sector and publicly-funded organizations
- NIST 800-171 – well-suited for small and medium organizations dealing with Controlled Unclassified Information (CUI)
- CMMC – required by the U.S. Department of Defense with a range of maturity levels for organizations dealing with CUI
- COBIT – common with publicly traded companies for SOX compliance
- Centre for Internet Security (CIS) – a newer standard that focuses on operational security activities
In hockey or any sport – a good defenseman is never standing still; they’re always reacting to the play around them. Cyber security is the same idea—if you’re standing still, the hackers are going to blow right by you and breach your organization’s systems. Cyber security certifications can help you operationalize security, so you keep your (cyber) feet moving.
provides a range of cyber security consulting services
, including security assessments. Our consulting team specializes in helping clients develop holistic cyber security operational practices that align with your chosen cyber security framework and business operations. In recent evaluations, we’ve seen similar issues arise, all of which have mitigating security controls in all major security frameworks. These general findings include deficiencies in the following areas:
- Patching software and systems – mostly around secondary software tools
- Missing or default passwords – typical with devices such as printers, switches, and IoT devices
- Password length and complexity – although moving to multi-factor authentication is becoming more common to address this.
- Security awareness training and testing –becoming more common, but it is equally important to validate the effectiveness of training with regular testing.
- Email security (DMARC/DKIM) – configurations to support reporting and prevention of spoofing mail services
- Network segregation/segmentation – to isolate and secure network traffic between devices of different security risk and monitor traffic between zones
- Network traffic decryption/inspection – is becoming critical as most nefarious tools use encrypted communications between your devices and the command center
Addressing these deficiencies will reduce the level of inherent vulnerabilities and make a hacker’s job more difficult. Since each is addressed in most security frameworks and certifications, taking your organization through a cyber security certification process will identify and address these weaknesses.
Richard Yarde, Data Perceptions’ Security & Operations Practice Lead, contributed to this article.
SCTC Perspective" is written by members of the Society of Communications Technology Consultants, an international organization of independent information and communications technology professionals serving clients in all business sectors and government worldwide.
Knowing the challenges many enterprises are facing during COVID-19, the SCTC is offering to qualified members of the Enterprise Connect user community a limited, pro bono consulting engagement, approximately 2 - 4 hours, including a small discovery, analysis, and a deliverable. This engagement will be strictly voluntary, with no requirement for the user/client to continue beyond this initial engagement. For more information or to apply, please visit us here.