The Business Value of Honesty and What it Means in Cyber Security

Not long ago, life seemed comfortable – or at least, I had convinced myself that that was the situation. You see, I thought I was naturally fit. I did not need to exercise or watch what I ate, because I was naturally in good shape. Ok, I had not exercised since I had an injury which forced me to stop playing football and I could eat badly, and it was all good. In fact, I thought I was in my prime – I could do whatever I wanted, you know, whenever I wanted to.

It was all comfortable. No sweating. No going out in the rain. Having a beer with a meal. Doughnut at work? No problem. Couple of biscuits before bed? Go for it.

However, a fundamental shift of mindset blew away the false sense of security and laid bare the reality of my life – I was horribly unfit, eating in ways that did not support me mentally or physically. I needed to take action to rebuild myself into someone who my daughter is proud of.

What followed has been a transformation of myself and my life. A deep routed commitment to change – developing good habits to replace the bad, a series of short and long term goals, holding myself accountable and asking friends to help me with this and above all, enjoying the changes, despite the many knock backs that have left me reeling along the way.

Now, think about information risk within your business. Are you comfortably enjoying false security? Or are you embracing a challenging journey, which will mirror back uncomfortable truths?

Its easy to just ignore the risks you have, or at least it is until the rent is due and the risks that you weren’t able to accept, bubble to the surface and everything you thought to be true comes tumbling down.

How can you guard against this? How can you ensure that you are acknowledging the painful truths? Below are some key points to help you acknowledge where you are in your cybersecurity journey:

  • Be honest

Sounds easy doesn’t it – however you are the easiest person to fool. Challenge everything, no matter how uncomfortable it is – acknowledge your true risks and take action.

  • Get out in the business

Not so easy during these COVID times, however you need to be in touch with the business. You need to seek out honest opinions. Getting feedback on cybersecurity weaknesses is not just a line in a policy, its an important cultural shift. You are not going to be in an honest place, without hearing the uncomfortable messages from the business.

  • Define your destination

Once you know accurately where you are, work out where you need to be. Is it ISO27001 certification? Or visibility of all your risks? Work out what the business needs.

  • Plan your journey

Set short- and medium-term goals – it will take time to reach you destination and you will get lost in the fog without clear steps. Completing a gap assessment could be the first step in doing so. Tools such as the Cybersecurity Diagnostic Assessment can fast-track this process.

  • Improvement is continual

The earlier point told you to define your destination – Ironically, we haven’t been completely honest here. There is no destination because it is always evolving and moving. Accept this journey never ends, extending to forever – sorry!

  • Accountability partners are your best friend

We have yet to see anyone who is pleased to have a visit from internal audit – however these guys are your best friend. Give them a clear picture, be open and honest. Welcome them challenging you, and be willing to change. It will be for the better!

  • Set aside some time

Use this as your ‘honesty time’ – where you challenge yourself and what is going on. Turn off your phone and email and have quality thinking time – 30 minutes a week tends to work well in our experience.

Progress and positive change can never be achieved without being honest from the start – we have seen this in business, our personal lives, and cyber security. We live in a world of ‘fake news’ and misinformation, so the least we can do is be honest, acknowledge our true risk, and take action. Several years ago, there was a programme on TV about restaurants in trouble. The presenter would tell all the owners “When you walk into your business every day, look at it, as if it was the first time your seen it.” Now do that with your business and information risk!