Organizations are increasingly dependent on their digital infrastructure. At the same time, these organizations seem to be more vulnerable than ever as cyber criminals’ techniques become more and more sophisticated. So how can you handle this situation? In other words: how do you become a secure online organization?
This was one of the topics discussed by Dell and Leaseweb customers during a roundtable discussion about security. IT security specialist and journalist Brenno de Winter provided interesting insights in his introduction: “If your company wants to be a secure organization, you have to manage risks. There are four options when dealing with risks: accepting them, reducing them through security measures, avoiding risks by ceasing certain activities, or to partially outsource risk management to a third party. There are also affordable insurance policies against hacks available which are worth considering. But no matter what you do, make sure you have a risk management strategy in place, supported by tools that identity the security risks of your organization.”
Possible approach: an example
As I mentioned previously, security starts in the boardroom. It’s all about minimizing your risks as much as possible. During the roundtable I explained how Leaseweb implemented risk management.
We began by identifying the risks the company faces. Every department was subjected to a risk assessment, from the reception desk up to the boardroom. At the end, 225 risks were identified. For every risk we determined the appropriate control measures. We then applied these control measures and examined what risks remained. This way we were able to develop a risk management framework that also indicates whether a risk impacts the confidentiality, integrity or availability of information. Using this framework we examined every part of the organization, learning how the control measures actually worked in practice. This is also reflected in our ISO 27001 and SOC1 reporting. It was a huge undertaking but – thanks to our risk manager – we now know exactly what risks we have to deal with and how they are mitigated through the measures we have taken.
When using an approach such as ours (which we dubbed The Leaseweb Trust Model), the board has to determine if risks are being managed well enough or if more action is required. Every additional measure has an impact on the security system as a whole because everything is interconnected and measurable. Navigating this complexity makes my work not only worthwhile but also fun.