Questions about cyber security have now definitely moved up to management level. The scale of the damage that a cyber attack can cause is enormous and IT security has consequently become a key, strategic issue that can involve the company’s long-term survival. The question, “What do we do when it happens to us?”, is no longer just being asked by technical staff in IT departments: it’s increasingly being asked by senior management, too.
“The more companies use digital tools and processes, and the more they work on their digital transformation, the more important the question of IT security for the entire company becomes,” says Jesper Blomé.
IT-related security risks have also become an important area for more and more companies and organisations when they are assessing their overall risks. The banking and finance sector has included IT security in its risk analyses for many years now, but in the manufacturing industry, for example, risk analyses were previously often focused on risks in relation to the actual operations, such as a decline in sales, production stoppages, or disruptions to the supply chain.
“Most companies nowadays hold very valuable assets in their IT environments. Whether it’s plans, patents, and critical data, or the management of critical production systems – they’re all part of companies’ IT environments nowadays. At which point it becomes enormously important – and business-critical – to protect these systems,” says Jesper.
The increasing significance and business-critical nature of IT security is reflected in the fact that many companies, including a number of small and medium-sized ones, are appointing a CSO, Chief Security Officer, and that this individual is an automatic member of the management group. The inclusion of IT managers in management groups was fairly rare, as little as five to ten years ago.
But even if companies are now realising the importance of improving security, it’s still also enormously important, according to Jesper, that company management implement high quality, clear, comprehensive, and standardised reporting systems that facilitate auditing and follow-ups.
“It’s important to have a standardised security reporting format, so that a CSO in a corporate group, for example, doesn’t need to examine the security systems of 40 different subsidiaries to identify deficiencies.”
Jesper’s advice in this respect is to ask for help from a security expert who can analyse the type of reporting and incident management that the organisation needs at management level.
“Iver’s offering is specifically about being that partner, and about offering heavyweight security consultation. This can, in turn, result in Iver customising a number of services that improve security levels across the organisation.”