Somebody will go to jail

The start of a new year is always a time for predictions and forecasts for the year to come – one that caught my eye was the Top 10 Cybersecurity predictions from Richard Starnes. The list makes some grim reading, starting as it does with Somebody will go to jail.

Second on his list was a prediction that information security management training will become the new silver bullet. Citing the IBM 2015 Cyber Security Intelligence Index he notes that over 40% of the average companies’ breaches were mostly due to inadequately or improperly trained personnel. UCISA has taken steps to try and address this, as Jerry Niman advised in an update in December to the UCISA Directors list, by reaching agreement with Leo to make the licence for their Information Security Awareness Learning Suite available to all UCISA full member organisations in perpetuity. The agreement includes reasonable updates for the first three years. This will be fully funded by UCISA, and will be available for institutions to host on the LMS of their choice. There will be no cost to institutions unless further customisation or hosting is required. We are working towards making the suite available in the first quarter this year.

Making the training available is one part of the solution – making sure those that need to take it do is another challenge. A number of institutions have policies that state that all staff should take information security training but not all follow it through and ensure that the policy is fully implemented. Chapter 9 of the UCISA Information Security Management Toolkit highlights the role awareness activities play in managing risk within the institution and highlights how the effectiveness of such activities can be demonstrated.

Starnes’ list highlighted particular challenges around health data but he noted that one implication of an increased focus on cyber security was that the market for information security professionals will tighten, making recruiting experienced professionals more costly. As personnel become more expensive, so the need to understand the importance of the roles and the functions they perform and support increases. Clearly this understanding requires context; that context being provided by recognition of the value of the information and the risk to the institution of a breach of security or loss of data. Will it take somebody going to jail to focus minds?

Leave a Reply

Your email address will not be published. Required fields are marked *