They say, learning from our successes and failures is a great way to navigate the path to our objectives and goals.
But there’s a catch: in many cases, there is lots of zigzagging that can slow you down (or even distract you) on your path to reaching your goals and objectives.
Obviously, you could take those longer paths and learn more (best way to learn is to learn from our failures, right?).
On the flip side, (and fortunately for you), there is a way to fast-track the learning process and concentrate on achieving your goals and objectives. How? By sticking with something that has proved to be valuable, something that has been derived from many years of successes and failures. I am talking about a standard.
Let’s look deeper.
According to Merriam-Webster Dictionary, a standard is:
- “something established by authority, custom, or general consent as a model or example”;
- “something set up and established by authority as a rule for the measure of quantity, weight, extent, value, or quality”.
Each industry, be it Accounting (GAAP or IFRS) or Environmental (ISO 14001), has its own set of standards that define best practices, recommendations and guidance to help organizations stay on their path towards the goals and objectives and ultimately make them successful.
And here is the good news: IT industry is not an exception.
This week, I was honoured to lead a Breakout Session at iTech Conference on IT strategy, security and controls, and how standardization (in our case it was ISO 27001 Standard) can help organizations simplify and improve their IT strategy.
At the request of the number of attendees, we have prepared a list of the Top 6 Reasons Why Adopting an IT Standard Can Make You Successful.
This list can be altered and applied to many business (or even life) situations, but for the purpose of this blog post is focused on IT strategy and finding your why (or reason) behind your approach to IT strategy, security and controls.
But before we begin:
ISO 27001 is the standard that details the best practices for organization’s Information Security Management System (ISMS), while ISO 27002 serves as a Code of Practice and guidance for the implementation of ISMS referenced for this purpose, but the same approach can be applied leveraging any reputable standard.
Here is the thing: if one person paddles in a different direction, the boat turns uncontrollably. Similarly, getting the team (and better yet the organization) working together with a globally-accepted framework has the desired effects of speaking a common language and figuratively paddling in the same direction towards a common goal.
ISO 27001 starts with a risk review at the Senior Management level. All mitigations should be tied back to an agreed-to risk.
The best part? This provides transparency as it relates to business requirements and improves the understanding of the context of the organization.
2. Preparation to meet potential challenges
We can all agree that it’s difficult if not impossible to prepare for a potential challenge. Especially a challenge that has not been quantified or understood. Leveraging a standard which suggests best practices will help uncover challenges that may not have been anticipated.
And trust me, this helps to avoid firefighting.
We won’t be wrong if we say that a reputable standard brings with it a level of credibility to IT strategy. As IT professionals, we are often questioned on our approach to solving an issue, implementing a new technology or communicating a new policy.
When organizations embrace a standard and agree to leverage it strategically, there is typically a level of credibility which is assumed. In many cases, certification to a standard such as ISO 27001 will help to reduce the need for recurring and frequent audits by customers and stakeholders.
But wait, there is more… In the case of ISO 27001, other regulations and standards also reference the use of ISO 27001 as a valid Information Security Management System (or ISMS) further extending the credibility. In many cases, ISO 27001 is a voluntary certification completed by an organization to demonstrate their commitment to information security which arguably trumps the credibility of mandatory regulations and industry compliance requirements (since they are often followed by penalties such as fines for non-compliance).
As the saying goes, what gets measured gets done. In other words, being able to visualize and understand current state vs target state helps us to achieve goals individually and collectively. As mentioned above, ISO 27001 lists a set of best practices, and ISO 27002 provides detailed requirements against which an organization’s Information Security Management System can be audited.
Why is this important? If an organization is aiming for certification, this is a very clear objective which can be measured initially and on an ongoing basis.
Additionally, audit findings provide a clear indication of the performance of the ISMS which leads us into the next point.
5. Continual Improvement
Here’s the deal: certification to ISO 27001 includes a requirement for regular reoccurring audits. Wait… more audits?
Exactly. Yearly partial audits (completed both internally and by an outside party) and a full ISMS audit every 3 years in order to demonstrate continual improvement. These audits provide a chance for an organization to have an outside reviewer analyze the performance of their ISMS with a view to improve.
There will never be a time when absolute perfection is achieved as every organization can improve regardless of their maturity level and these audits reflect that fact.
6. Great ideas are not made in isolation
This is arguably the most important point.
Regardless of how seasoned of an IT Professional you are, it is difficult to match the time put in by various communities to develop IT standards. So why not leverage this information?
Fair enough, you often hear about the amount of reading Bill Gates or Warren Buffet does to feed their thirst for knowledge. And there is a reason for this.
As it turns out, inventing or devising new ideas is extremely difficult and is often done with a narrow scope. Ideas typically become great when you combine them with existing information.
Why develop an IT strategy around security and controls in isolation when there are standards (collections of lessons learned, best practices and many thousands of hours of effort) just waiting to be used and built upon?
To make a point, adopting an IT Standard is a simple way to ensure you stay on your path towards goals and objectives and ultimately make you successful.
About the Author
Nils Madi is the Principal security and network consultant as well as co-founder of Genieall. Over the past 15 years, Nils has worked with many organizations to implement best practices relating to administrative, technical and physical security controls. Following standards and compliance requirements such as PCI, NERC, NIST, ISO and PHIPPA, Nils has worked through the spectrum on audit, implementation, operational management and ITSM. Working with multinational organizations, Nils has been able to foster a great understanding of regional compliance requirements along with a pragmatic approach to reach compliance and security targets.
Stay in Touch
Email: [email protected]
Phone: (866) 214-7863