top of page
Cyber Certification??

Should Your Organization Get Certified in Cyber Security?

Many have started to require minimum security operations benchmarks as part of their business contracts. 

By Scott Murphy,  VP Strategic Business Development,

Richard Yarde, Security & Operations Lead 

Data Perceptions Inc. 

Published November 4, 2020

Cybersecurity is top of mind for many organizations, but most of them question the benefits of getting certified. Lately, there’s a lot of discussion and marketing effort centered around a wide range of cybersecurity certifications. The point is not the certification but rather the process of operationalizing security within your organization that’s valuable.

 

The certification process against a security standard will help your staff migrate from ad-hoc security activities to holistic and ongoing operational practices that are visible internally and externally.

Internally, cybersecurity certification keeps security operations and practices top of mind for all staff, not only the IT team. Therefore, security is the responsibility of the entire organization. The process of getting certified enforces good practices and reduces risks by:

Security Audit sm.jpg

  • Regulating review and assessment of security practices

  • Prioritizing security for management, IT, and operations staff

  • Enforcing regular business and operations processes

  • Managing the risk instead of reacting to fires

 

Externally, a cybersecurity certification communicates to your customers, suppliers, and the entire business ecosystem that you take cybersecurity seriously. Many organizations have started to require minimum security operations benchmarks as part of their business contracts. This trend is expanding, so more businesses will follow suit.

Regulations

The next question I get asked often is, which certification framework should my business use? Since a cyber security certification isn’t a one and done type of thing, the key is to pick one that fits your business operations, scale, and sector. Most certifications are based on the same guiding principles of cyber security, and it’s important to pick one that’s expected and respected in your business sector.

There are many to choose from, but the following name a few:

 

  • ISO 27001/2 – internationally accepted

  • NIST 800-53 – popular in the financial sector and publicly-funded organizations

  • NIST 800-171 – well-suited for small and medium organizations dealing with Controlled Unclassified Information (CUI)

  • CMMC – required by the U.S. Department of Defense with a range of maturity levels for organizations dealing with CUI

  • COBIT – common with publicly traded companies for SOX compliance

  • Centre for Internet Security (CIS) – a newer standard that focuses on operational security activities

  • CyberSecure Canada (CSC) - a newer standard designed for small and medium businesses. Supported by the Canadian government and well suited as a baseline for supply chain organizations.

  • SOC 2 / SSAE 18 – a common standard for data centres, SaaS, and other service providers. (skip to page 13 for the controls)

ISO Regulations.jpg
A Good Defence.jpg

Data Perceptions provides a range of cybersecurity consulting services, including security assessments. Our consulting team specializes in helping clients develop holistic cybersecurity operational practices that align with your chosen cybersecurity framework and business operations. In recent evaluations, we’ve seen similar issues arise, all of which have mitigating security controls in all major security frameworks. These general findings include deficiencies in the following areas:

 

  • Patching software and systems – mostly around secondary software tools

  • Missing or default passwords – typical with devices such as printers, switches, and IoT devices

  • Password length and complexity – although moving to multi-factor authentication is becoming more common to address this.

  • Security awareness training and testing –becoming more common, but it is equally important to validate the effectiveness of training with regular testing.

In hockey or any sport – a good defenseman is never standing still; they’re always reacting to the play around them. Cybersecurity is the same idea—if you’re standing still, the hackers are going to blow right by you and breach your organization’s systems. Cyber security certifications can help you operationalize security, so you keep your (cyber) feet moving.

Data Perceptions Security Consulting Services

  • Email security (DMARC/DKIM) – configurations to support reporting and prevention of spoofing mail services

  • Network segregation/segmentation – to isolate and secure network traffic between devices of different security risk and monitor traffic between zones

  • Network traffic decryption/inspection – is becoming critical as most nefarious tools use encrypted communications between your devices and the command center

 

Addressing these deficiencies will reduce the level of inherent vulnerabilities and make a hacker’s job more difficult. Since each is addressed in most security frameworks and certifications, taking your organization through a cyber security certification process will identify and address these weaknesses.

First Published No Jitter November 4, 2020

  • White Facebook Icon
  • White LinkedIn Icon
  • White Twitter Icon
bottom of page