To Certify or Not Certify...That is the Question!
Much emphasis has been put on IT Professionals and, in particular, Information Security Professionals, to obtain certifications or compliance opinions such as ISO, SOC, PCI, NIST etc. In fact, it is quite common in my day to day life as a CISO, to interact with individuals who have multiple certification standards and compliance reports for their company. These certifications, and the subject matter expertise that goes with them, are critical for organizations to have effective Information Security programs.
Questions that continue to plague CISOs and executive leadership are the questions of which standard is sufficient? Should an organization follow many standards and seek certification to those standards? Should organizations have the qualified individuals implementing and maintaining the standard on staff or outsource that function? While some CIOs are satisfied with a hybrid approach, (where the Information Security Leader picks and chooses aspects of different standards or frameworks to implement), the enlightened CIO understands that the CISO is a subject matter expert and should be set free to implement the best framework for the organization. In fact, Internal Auditors, who are tasked with independently assessing a program’s effectiveness, look for such a framework when they assess an organization’s Information Security robustness. This framework is critical and necessary if an organization wants to have a Certified Information Security Management System. With data breaches occurring more frequently, customers are speaking up and asking organizations how they are protecting their information and what they are doing to ensure that their information is not at risk.
The guidance an organization uses, and the standard or framework it implements, do not need to be reinvented. This approach needs to be appropriate for the organization, meet the requirements of the customers and based upon the regulatory landscape in which the organization operates. Whether the framework is based on ISO, ITIL, COBIT, NIST, SOC or industry specific frameworks such as FFIEC or HITRUST, organizations should choose the framework that fits them best, tailor it and take responsibility for it.
Putting on your customer hat for a moment, ask yourself, would you rather do business with a ISO 27001 compliant/certified company or a SOC 2 Type II certified company or with a company that doesn’t take safeguarding your personal information seriously? I would bet dollar to doughnuts that you are like me and would rather have your information secured instead of being sold to the highest bidder. With that said, it is critical that companies have Certified Information Security Management Systems so that you and I can rest at night knowing our information is safe.