Four months in, our newsletter Breach Brief Weekly continues to gain followers at a steady pace, and I am glad it does. As of today, we are at 192 subscribers – 192 people and organizations we can help make safer than yesterday.
Our goal at Granite State InfoSec Consulting LLC – aside from making a living of course – is to raise awareness of real threats, real solutions, compliance, and how the complex landscape of Information Security and Cybersecurity standards and frameworks tie together.
But first and foremost, we want to make proactive Information Security normal.
Why Do Organizations Resist a New Management System
Understanding and pursuing yet another Management System “just for Information Security” is a royal pain in the neck. It’s perceived as yet more inefficiencies and expenditures and complexities. I get it.
But hear me out:
When introducing Information Security, I like to draw parallels to the old days of when ISO/IEC 9001 for Quality Management Systems (QMS) was all the rave.
Everyone heard about it. Nobody wanted to do it (aside from leadership or your customers pushing it of course) because it was extra, tedious work. Few really understood it. Most expected an automatically higher level of quality from it. And it was supplemented by a confusing zoo of additional standards and frameworks, often times industry specific. Cue for example APQP (Advanced Product Quality Planning) or PPAP (Production Part Approval Process), two closely related but distinctly different concepts, tied directly to ISO 9001 in the Automotive Industry.
ISO 9001 by itself didn’t magically make quality better, and it didn’t stop products or processes from failing. What it really did was bring definition and accountability. It said, “Decide who owns what aspects of quality in your organization, figure out which characteristics actually define quality for you, set clear targets for such quality, measure whether you’re meeting them, and have a plan for what to do when you’re not.”
The point wasn’t how high the targets were, but rather that everyone knew what they were and who was responsible to meet them. ISO 9001 made companies document what “good (enough)” means to them, track it, and follow through. In short, it made quality intentional instead of accidental.
That’s the same an Information Security Management System (ISMS) like ISO/IEC 27001, TISAX®, NIST, etc. does, only of course with another goal.
It doesn’t make you secure by itself, and it doesn’t magically stop cyberattacks. What it really does is create structure and ownership around security. It says, “Decide who is responsible for protecting information, identify what needs to be protected and why, define how you measure risks, and decide what you’ll do to reduce them, and how you respond to security incidents. Then check and improve on that in an ongoing cycle.”
It’s not about being perfectly safe, but rather about being organized, aware, and in control of your security measures. An ISMS makes sure security isn’t left to chance or individual effort. It turns good intentions into a managed, documented, and continuously improving process.
The Cost of Not Doing It
I will spare you the statistics anyone can google. Instead, I will state the obvious:
Lapses in Quality have cost organizations immeasurable amounts of money and reputation. Take Takata’s recall of 67 million airbags worldwide, affecting Toyota, Honda, BMW, Ford, Nissan, and many others. Toyota’s Tacoma frame rust recall. Chevy’s motor mount recall.
Implementing suitable Quality Management Systems is no longer optional for organizations to ensure Business Continuity.
On the Information Security end, we all have heard of breaches at Yahoo, Equifax, even right here on LinkedIn. Or, a bit spicier: AdultFriendFinder. In the Automotive Industry, cases affecting Mercedes-Benz Financial Services, Eberspächer, Jaguar made the news as recently as last month. In the public critical infrastructure area, the overflowing water tower at Muleshoe, TX or various airport check-in systems in Europe earlier this year are sober reminders that none of what we write about is fictitious.
Ignoring Information Security and Cybersecurity is no longer an oversight, but really rather inexcusable negligence.
We Don’t Know What We Don’t Know – So Please Share the Word!
Only if the right people understand the real risks of a breach, and the available measures against them, we can ensure life as we know it continues. But we need to reach more and more people if we are to help them.
That’s why we are asking for your support to make Breach Brief Weekly, and in extension Granite State InfoSec Consulting LLC widely known to your networks.
Sure, it’s for our benefit as a young but growing company. But it more so is for the benefit of a wide variety of organizations, businesses, non-profits, and public critical infrastructure – and therefore people like you and me who don’t want to see our water supply dry up or poisoned, our employers go bankrupt, or help organizations stopped in their tracks providing critical care to our most vulnerable neighbors, friends, and family.
Help us get the word out. Help us raise awareness. Help us make proactive Information Security normal. Share this newsletter to your network with a few words of encouragement, and it will make all the difference. Thank you!
Subscribe to Breach Brief Weekly on LinkedIn
#TISAX #ISMS #InfoSec #InformationSecurity #CyberSecurity #AWIA #ISO27001 #NIST #CMMC #CRA #CyberResilience #Water #DrinkingWater #CriticalInfrastructure #RiskManagement #Automotive #GSInfoSec
