In the world of IT and Cyber, there is one common denominator: Certifications. I have written about this before, and in
fact, have even written a couple of whitepapers on this very topic for a couple
of writing clients that I have.
Back in the day of the .com craze, it was the Microsoft MCSE
cert that ruled. Btu now with everybody either
going into the AWS or Azure, the plethora of certs have exploded even
more. In fact, just a few days ago, I
was looking at all of the Cloud certs available, and my head just exploded.
This is an addition to the other certs that are offered
through the other institutions as well, such as those of ICS(2) and CompTIA. So its no wonder that when a person wants to
get a Cyber cert, they are very often bewildered as to even where to
start.
But it is not just individuals. The same holds true for companies as well. Given how compliance a lot of things are today, companies are
pursuing their own type of cert that they think are relevant to them.
A lot of this relates to the data privacy laws, such as
those of the GDPR, the CPPA, HIPAA, etc.
Also, many other states are now passing their own version of them, and
even other countries around the as well.
Now imagine if you are a multinational company, what kind of certs do
you need so that you can have the regulators and auditors stay off your backs?
This can be a difficult question to answer, as you will be
subject to the data privacy laws of each country that you operate in, or at least
conduct financial transactions. In other
words, at the present time at least, there does not exist a set of
international standards that a company can follow. But here in the United
States, the two most popular certs that companies go after tending to be the
SOC2 and IOS27001.
But now, here comes the tradeoff: It can take up to 6 months to get one of
these certs (it’s not the same as passing as a Cyber cert). Because of this huge time commitment, it
takes a drainage of employee resources, and worst yet, it can even make an
impact on the bottom line, as this is considered to be a non-revenue generating
activity. So now the question comes is
it really worth it?
It can actually be quite helpful from two different angles:
*By having one of these major certs, it proves to a
regulating body of one these data privacy laws that you are taking compliance
very seriously, and that there are very good chances the controls that you have
implemented are up to snuff. As a result,
the chances that you will get audited and/or even face financial penalties are
thus greatly lowered.
*Having these certs is actually a good thing to have when
approaching sales prospects and new customers.
It shows to them also that you are taking Cyber and the protection of
PII datasets seriously, and have a proactive mindset.
*You will have greater chances of getting quality third
party vendors that you can outsource your business processes to, as they will
also be required, to varying degrees to have this cert.
There are also the downsides of this as well:
*As mentioned, it is a huge expense and time commitment for
a company to get one. Perhaps it may be
time to rethink if it is really worth the effort, when these resources can be
diverted to other revenue generating projects.
Also, you have to keep in mind the industry that you are in. Not all of them are subject to the guises of the
data privacy laws previously described.
*Now, here is the catch 22.
Even though you have may the cert in hand, you can still become a victim
of a Cyberattack. There is no stopping
that. All the certs will do for you is
have you engage in certain types of activities that will help reduce this risk
from happening, such as by deploying the right set of controls and/or upgrading
the existing set that you have. Now if you
are hit and have this cert, people are then going to ask you, “How did this
happen?” Unfortunately, this can be a
very difficult situation to be put into.
*Even here in the United States, there is no set of best standards
when it comes to the actual awarding of the certs. As a result, the number of organizations that
that put you in the ringers has increased by 4x. So, how do you know who is for real and who
is not in this regard? This is where you
have to practice your due diligence. To make
things worse, every training organization has their own methods of awarding one
of these certs has their own set of guidelines in terms of rewarding it. So how do know which one is better?
*After a company has received their cert, the chances are fairly
high that they will let their guard down.
For example, being proactive is not just a one-time deal. It has to happen on a daily basis, with each
and every employee. Obtaining the cert
has taught you and your employees valuable skills to keep that mindset. But
after achieving it, many companies let out a sigh of relief and forget all that
they have been through.
My Thoughts On This:
So in the end, the fundamental question remains: Should your
company get either one of these certs that have been examined in this
blog? Once again, it comes down to the market
you are in. If you are business that deals
with a lot of data, then of course it makes sense to have one.
But if you are not one, then it may make more sense to
pursue a cert that is closely aligned to what you are actually doing.
But keep in mind that if you decide to get this kind of cert,
it is merely a starting point. You still
need to keep your guard up, by conducting routine drills, security awareness
programs, and pen testing exercises (it is highly recommended that the last two
be done on at least a quarterly basis).
Also, make sure that you carefully vet out the testing
agency who will be awarding your cert in the end.
No comments:
Post a Comment