Cyber security standards not doing enough
Cyber security standards are not doing enough to protect organisations from cyber crime.
That was the word from Manuel Corregedor, chief operations officer at Telspace Systems, speaking during the ITWeb Security Summit 2017 today.
Corregedor, who joined information Telspace last month, says although organisations are implementing standards such as ISO/IEC 27001, among others, they are still being breached.
The main problem with standards, he said, is that they can't keep up with the rapid changes the technology space is going through. Faced with ever more frameworks, policies and documents, organisations often adopt a tick box approach to pass an audit, but lack the knowledge for it to be meaningful.
"We all need to do cyber security but we lack the basic fundamentals," says Corregedor.
He urges organisations to get the basics right first by thoroughly auditing all their IT assets, as well as implementing user account management.
Understanding vulnerability management as well as risk management is also key. "Cyber security professionals need to create a balance between governance, risk and compliance and their operational security," he adds.
Organisations often appoint people without the requisite skills to run cyber security, he says. "For example, you will find someone being promoted from a position in risk into a cyber security expert's role. In the end, these individuals end up just Googling about what they should be doing because they lack the proper knowledge."
I always tell people that I can give them skills but not passion.Manuel Corregedor, chief operations officer at Telspace Systems
But for cyber security to be really effective within organisations, information security professionals need to have a passion about their job. "I always tell people that I can give them skills but not passion."