Membership Login FR

Partner Spotlight Blog - November edition

Should Your Organization Get Cyber Security Certified?

Cyber Security is top of mind for many organizations and there is a lot of discussion and marketing for a wide range of cyber security certifications.   A number of organizations question the benefits of getting certified.  The point is not the certification, it is the process of operationalizing security operations within your organization that is important. 

The process of certification against a security standard will help your staff migrate from ad-hoc security activities to holistic and ongoing operational practices.  The certification makes these practices visible both internally and externally of the organization. 

Internally, certification keeps security operations and practices top of mind for all staff, not just the IT team.  Security is the responsibility of the entire organization.  The process of getting certified enforces good practices and reduces risks by:

  1. Regular review and assessment of security practices;
  2. Prioritization of security for management, IT, and operations staff;
  3. Enforcement of regular business and operations processes; and
  4. Managing the risk instead of reacting to fires.

Externally, a cyber security certification communicates to your customers, suppliers, and entire business ecosystem that you take cyber security seriously.  Many organizations have started to require minimum security operations benchmarks, as part of their business contracts.  This trend is expanding, so more businesses will follow suit.

The next question that is often asked is, which certification framework should my business use?  Since a cyber security certification is not a one and done type of thing, the key is to pick one that fits your business operations, scale, and sector.  Most of the certifications are based on the same guiding principles of cyber security, it is important to pick one that is expected and respected in your business sector.  There are many to choose from, but to name a few:

  • CyberSecure Canada (CSC) - newer standard designed for small and medium business. Supported by the Canadian government and well suited as a baseline for supply chain organizations.
  • ISO 27001 – internationally accepted;
  • National Institute of Standards and Technology (NIST) – popular in the financial sector and publicly funded organizations;
  • CMMC – required by the U.S. Department of Defense;
  • COBIT – common with publicly traded companies for SOX compliance; and
  • Centre for Internet Security (CIS) – a newer standard that is gaining momentum internationally and across sectors.

In hockey or any sport really – a good defenseman is never standing still; they are always reacting to play around them.  Cyber security is the same, if you are standing still, the hackers are going to blow right by you and breach your organization’s systems.  Cyber security certifications can help you operationalize security, so you keep your (cyber security) feet moving.

Data Perceptions provides a range of cyber security consulting services including security assessments.  We can provide assessments against a range of security frameworks including ISO, NIST, and CSC. In recent assessments, we have seen a common issue around secure device configuration.  This security control is a constant across all security frameworks.  Secure device configuration is more about process than technology.  Organizations need to have a deployment process for:

  • Changing default and administrative passwords on devices; ?
  • Reviewing device settings for insecure defaults and to disable all unnecessary functionality on devices; ?
  • Deploying current patches and firmware to the device; and
  • Enabling any necessary security features.

It is also recommended that there be a process to regularly review and monitor the devices to keep the passwords, settings, patches, and security features up to date. Devices would include workstations, servers, IoT devices, mobile devices, network equipment, and printers – anything attached to the network.

A regular process is also required to remove accounts that are no longer needed such as guest, departed employees or contractors, and test or temporary accounts.

These tactics reduce the level of inherent vulnerabilities and make a hacker’s job more difficult.

Data Perceptions is here to help guide you through the certification process.  Our cyber security consulting team specializes in helping our clients develop holistic cyber security operational practices that align with you chosen cyber security framework and business operations.  Data Perceptions was the first organization to be certified under the new CyberSecure Canada (CSC) framework.