A map is useless to anyone who is lost and doesn’t know their current location, unless of course, someone shows them where they are on the map.
A developer cannot confidently construct a house, if he doesn’t know the state of the ground upon which he is building. A detailed ground survey must first be carried out.
A business leader cannot plan ahead if she is doesn’t know the financial strength of her business. A full financial review is first required.
In similar fashion, an organisation that doesn’t know where it stands regarding its information security position, will be unable to defend itself well during a cyber-attack, nor will it be able to cope when it finds itself at the centre of a data breach.
Many well-informed business leaders today are realising that the risk of a wide-reaching security incident in their business operation is not only possible, but is in reality, quite likely to happen (if not this month, then the next) if they are complacent and don’t prepare. Consequently, astute company directors and senior business leaders are now requesting regular updates on the “cyber risk” position of their organisations.
But where to start? How does one get to grips with one’s “cyber risk” position?
One effective step forward is to conduct a gap analysis of the company’s security position against one of the mainstream security standards, like ISO27001 or the Payment Card Industry (PCI) Data Security Standard (DSS).
Take the PCI DSS as one example. If your business accepts payment for its products or services, or receives donations (if your business is a charity) by means of payment cards, then your business is required by the Payment Card Brands to comply fully with the PCI DSS. A PCI gap analysis would provide you with a clear statement of where you currently meet the standard and where there is a need for some remedial work. The gap analysis would effectively measure the current state of your defences and would thus assist you in choosing the next steps to take towards a more resilient business position.
Armed with the insight and knowledge that a PCI gap analysis provides, Boards of Directors can then allocate appropriate resources to ensure the effective protection of cardholder data throughout their business operation. In this way, they increase the organisation’s resilience to payment card data theft and associated criminal activity.