Cyber Security has become one of the priorities of businesses. Businesses have to follow certain rules and regulations in order to remain compliant. One side where organisations are building their Information Security and Cyber Security capabilities on the other hand it is equally important to have a knowledgeable leadership which is at least aware of basic Cyber Security concepts.
Cyber-crimes and attacks creates a huge impact our organisation’ security, organisation’s financial growth, and consumer confidence. Each and every business regardless of size or geographic location, is a potential target for hackers. Preparing for and responding to this growing cyber threat is necessary – and it is an executive level responsibility.
There have been many cases where top management becomes victim of cyber security frauds and incidents because of lack of information security awareness.
Although cyber awareness is mandatory for everyone working in the organisation, however it is more essential for the leadership.
Reasons, why top management should attend cyber security trainings:
- Top management often works on privileged accounts, i.e. mostly they work with admin privileges in their systems, hence can lose critical information during any cyber-attack.
- Generally top management IT systems does not comes under continuous monitoring, so it becomes easier for the hacker or malicious user to intrude inside the system and remain undetected.
- Top management has very crucial data about the business which has very high “Hack Value” i.e. the data is worth hacking which generally attracts hackers and competitor.
- Top management generally are the not aware of cyber security and information security’s day to day things, so they are most vulnerable for any cyber threat.
- Top management is mostly using their IT systems outside the organisations network such as conferences, hotel rooms, investors meeting etc since they travel a lot for business purposes. They should be aware of dos and don’ts of cyber security and information security.
- Data leakage from any top management’s system could damage the organisations reputation.
- Top Management often fell prey of cyber security incidents because of their popularity among the rest of world and their credentials available online
- Top managers are most of the times very good management professional, however they lack good IT security skillset, which could be achieved by attending cyber security awareness trainings
What is the Role of Leadership in Information Security Management System (ISMS)?
Leadership plays very important role in Information Security Management System.
- Leadership defines the policies and procedures for Cyber Security and Information Security with respect to the regulatory compliance.
- Leadership provides appropriate financial, technical and human resources for maintaining Information and Cyber Security.
- Leadership is responsible for periodic review of Information Security and Cyber Security status of the organisation.
- Leadership is also responsible for periodic review of risk pertaining to Cyber Security and information security and treatment of high level risk which could be detrimental for the organisation’s growth
- Leadership is responsible for Risk Treatment: Risk Mitigation, Risk Avoidance, Risk Acceptance, and Risk Sharing. The resources to mitigate Information Security and Cyber Security risk shall be provided by leadership
What should be the content of Cyber Security awareness training?
Training should give a basic understanding of information security and cyber security. Clear definition and examples of Confidentiality, Integrity and Availability should be provided.
- Basics of information systems
- Definitions and examples of IT systems like networks and application
- Examples of Information Assets: Networks, Application, People, Documents
- Importance of cyber security and information security
- Difference between Information Technology and Information Security Governance system
- Importance of reviewing information security and Cyber security status of the organisation.
- Difference between IT security and Information Security
- Importance of developing Information Security and Cyber Security training and awareness among employees including vendors and contractual staff.
- Regular Development of competence among the employees for handling information security and cyber security issues.
- Importance of business continuity and disaster recovery.
- Common threat scenarios like phishing, spoofing, Vishing (voice phishing) should also be demonstrated during information security training.
- Risk pertaining to third party or services outsourcing.
- Information and cyber security compliance.
- Change management, capacity management, backup management and incident management.
- Importance of vendor risk assessment and third party security audits.
- Basics of user access management and asset management
- Aspects of vulnerability management and patch management.
- Importance and process of Cyber security forensics process.
- Basics of encryptions and importance of its usage for information security.
- Cyber resilience and table top exercises.
Information Technology and Information Security works hand in hand. Both compliments each other however both are different domains. In many cases it has been observed that due to lack of appropriate knowledge and training many leaders/Top Management are unable to take right decision pertaining to information security and Cyber security which could lead to serious compliance issues sometimes. Attending an awareness session shall be definitely helpful for organisations growth.
A comprehensive training program will help the Top Management to understand the basics of Information and Cyber Security threats and risks. It’s also help the leadership to understand how the compliance for the same should be managed.
Organizations that are the most prepared to mitigate cyber risks have top management/leadership that are aware and informed of the current cyber security and information security threat environment. Executives and Boards of Directors set organisations policy, approve financial & human resource budget, and provide oversight and leadership. Setting the governance from the top is essential. Cyber security risk management is often considered as an IT issue, however it is a cross-departmental responsibility that requires executive leadership and support. It is very important of any organisation to identify and mitigate any kind of cyber security or information security risk.
There are many online and in house customised training programmes are available worldwide for enhancing cyber security skills at each level in the organisation. A cyber security awareness session would definitely be helpful in order to understand the current risk scenario and how to deal with those situations.
#Tags: Data Breaches,training, top management,executives
#Keywords:Cyber Security, Information security,training,risk, threats,leadership,capacity management, change management, backup,encryption,hack value,
ISO 27001: ISO 27001 is a standard that is folloVendord for the Information Security Management System (ISMS) of an organization in which, the said company’s compliance status is checked, based on which new policies are created and applied. It’s a mandate in many sectors such as companies involved in the Cyber Security domain.ISMS includes the 3 major elements of cyber security: Confidentiality, Integrity, Availability (CIA).
To ensure compliance to the CIA in terms of ISO 27k1 the companies need to
- Assess the risks
- Formulate policies
- Implement policies
- Continuous monitoring & Updates
The departments/processes that go through the above mentioned process are both, IT & Non IT Infrastructure of a company, but the audit of ISO 27k1 is mainly focused on the IT Infrastructure of a company.
ISO 27001 Certification:
Being ISO 27001 Certified means, the certification body that you choose for this process (PECB or IRCA), gives you an attested confirmation that your organization is compliant to all the guidelines of ISO 27k1.
Now there are two types of certifications in ISO: Individual / Organization
The process for an Individual certified professional is completely different from that of a Certified Organization, these certified professionals then move on to performing the process of certifying the organization.
Types of ISO certified Professionals
- Lead Auditor
- Lead Implementer
A lead auditor is the one who is responsible for leading the audit team in an organization. He or she prepares the audit plan, delivers meetings and submits audit report at the end of quarter or year. Conducting audits is the main responsibility of a lead auditor and that needs to be done on a daily basis.
A Lead implementer is the one responsible for bringing the Lead auditor plan into action and makes sure all the policies are implemented and properly controlled.
Process of getting certified
According to PECB, the process for getting ISO 27k1 LA/LI certified is nearly not as lengthy for individuals as it is for the organizations.
- Previous experience: minimum 4 years of job experience in IT is crucial, out of which at least 2 years has to be in cyber security.
- Training & Examination: After attending 5 days of training in ISO 27k1 LA/LI, in the course outline guided by the certification body of your choice/requirement, you have to submitted a certain examination fee to the certification body, after which, an invoice in your name along with your exam question papers are prepared & sent to the authorized training center for you to attempt the exam.
- Certification process: After attempting the certification exam, the candidate fills the certification forms in which they put in the required information, In the back-end the certification body verifies the information given by the candidates and if the compliance is there, the certificate is issued.
An interview with Pallavi Katoch
Corporate Trainer | Executive & Life Coach | Master Practitioner NLP | Research Scholar | Educator
Company: Per4m – a Training and Counseling Company which undertakes Training, Coaching and Counseling of Corporate Professionals and students of Institutions and also the Faculty of Universities and Colleges.
Pallavi Katoch is a Master Trainer with 23 years of experience behind her. Being an enthusiast in the field of training – delivery and content development, she has influenced many across industries in India and overseas. She is a certified Master Trainer by Cambridge University, Certified Coach and is also an NLP Master Practitioner by AnchorNLP, India. Based on the Adult Learning Principles, she follows the scientific approach to training and is a Certified Professional Coach and NLP Master Practitioner and has been certified to Train-The-Trainer and Train Adults by Cambridge University. With a strong knowledge base and excellent communication skills, Pallavi has been successfully meeting the objectives of the sessions she has been conducting, thereby being an effective facilitator, coach, personal trainer and instructor.
Some excerpts from the interview:
Rajneesh: Pallavi, you attended an International Conference recently. Can you tell us more about the event?
Pallavi: ABRM (Academy of Business & Retail Management) conducted the 7th International Conference on Restructuring of the Global Economy (ROGE) at The University of Oxford, UK, on 3rd & 4th July 2017. I was one among the invitees from the Asia Pacific region. It was an honor to have been chosen on the basis of my research paper which was accepted and appreciated by the University of Oxford, UK. I was called to present my paper which was an integral part of the conference proceeding. The schedule of the conference was
Day 1: The Conference was opened by Mr. P.R. Datta, Executive Chairman, ABRM. Presentations were given by key note speakers who are renowned and accomplished professors from the University of Pennsylvania, University of Kent in USA, University of Halifax in Canada, University of Oxford, etc. There was also a preview of Presentations by the delegates.
Day 2: Presentation by me for 30 Minutes followed by QA sessions of 10 Minutes
Rajneesh: In what way did this event help you?
Pallavi: Attending this conference had the following benefits:
- Learn and acquire cutting edge international knowledge in various disciplines of management from internationally reputed experts.
- Recognition of my work on an international platform as a participant or paper/poster presenter.
- All accepted abstract/full papers were published in the conference proceedings both print and online version titled “The Business and Management Review”. (Print )ISSN-2047-2854 and (Online) ISSN 2051-8498
- Potential identification of my future collaborative partners among international, vibrant and scholarly audience.
Rajneesh: Who will be beneficiaries for this program?
Pallavi: Since I mainly train Professionals and students, the knowledge I gained during this International Conference would benefit
- Any Professional who is looking at redefining his/her self-image & build better professional relationships with others.
- Students who are in the initial stage of their career & will be able to develop & build their personality to make wise decisions in choosing their career.
Rajneesh: What changes have you noticed since returning to India after the conference?
Pallavi: I have been getting a lot of emails and phone calls from entrepreneurs and academic professionals and universities, asking me to conduct training in the field of management so that many can benefit from it.
Rajneesh: What are the benefits of exposure to this kind of International event for corporate and students from our Country?
Pallavi: This kind of presentation & further training will help and benefit our people to be more self-dependent. It will also help individuals to take responsibility of their own actions, so that they are more confident & balanced on making critical decisions in their life. This change is required to progress and be empowered.
Rajneesh: What areas of training do you focus on at your training sessions?
Pallavi: I emphasize on
- Lead To Impact – Leadership for top management and senior management.
- The Perfect Presentation – Present To Impact and Influence
- The Strategic Leader – Strategies to expand and diversify business
- Adapt To Change – Change Management.
- Stepping Up To Management – Gearing to manage.
- Advanced Communication – To Persuade and Influence.
- Decision Making and Problem Solving – PDSA Module.