Digitization and risk, two words that in the last couple of years have been written in the same sentence regularly. Digitization is one of the biggest movements in modern time and it challenges everyone. People, companies, countries and the world must adapt to fast paced changes when old ways of thinking and doing things are replaced by new. This change is however not without risk. Inadequate competence in the area, digitization without ties to business value and the risk of doing nothing at all are commonly discussed risks. So how do we approach the problem?
One way is to look at rules, regulations and standards. If the business can adapt the knowledge of others in a smart way, it can save us from a lot of unnecessary work. ISO, NIST, SoGP and CSC are all different standards aiming at providing you with tools and frameworks to manage and handle risks related to security. But which standard should you follow? How do we determine what is good enough?
A decade old problem in Sweden is that organizations have not been able to figure out how much security is good enough. I have countless times met people in charge who are not able to decide because they do not want to risk doing too much. Security is still seen as a cost in most companies and excessive spending in the area is something people want to avoid. We cross our fingers and do nothing instead, or if we are lucky the bare minimum.
Many organizations in Sweden turn to the lawmakers or regulators for help in the area. In the same fashion they have been afraid to give detailed guidelines on what they see as good enough. Recently the Swedish Civil Contingencies Agency has published a draft guideline on basic IT security measures. Reading through this publication we can finally see more detailed requirements from a governmental entity in terms of security.
The guideline describes basic IT security measures that an organization can implement. If the organization does not implement a specific measure, there will be a risk that needs to be handled. The measures are described on a somewhat detailed level and give reference to common standards such as ISO or NIST.
So, what can we learn from the guidelines? Going through the different measures we can see that there is nothing new. Most measures are the same that can be found in other standards or known best practices. The difference in this case is that a governmental agency gives the baseline, meaning that following it should be enough to satisfy any auditor from a regulator.
However, it cannot be stressed enough that these are only guidelines! You are always ultimately responsible for the risk you manage. The guidelines should be a baseline for your security. After those measures are in place you must rely on your systematic security work and risk processes to determine if that is good enough or if more is needed.
Having security baselines has always been a problem. The authors of the baseline have no insight into your organization and context. Only you know what is important for your business and what is worthy of protection. What we can learn from these guidelines is that they are another great tool to understand what you definitely should be doing. But after that it is up to you to determine what needs to be done.
Written by Jimmi Ernberg