The Panama Papers: Why It’s Time To Shore Up Your Defences By Getting The Board On-Board With A Strategic Approach To Information Security

Posted by Philip Bindley

Data is the most precious asset of all for any organisation – from Intellectual Property (IP) to the Personally Identifiable (PI) information held on behalf of its customers.

In this day and age it should be blazingly obvious to all that having a limited ability to protect your data, not to mention clear visibility of where it is stored and where it is going, is bad for business plain and simple.

Yet it appears a sizeable gap in thinking or understanding still remains in the boardroom – even at the world’s 4th largest provider of offshore services.

I am sure you have been following the Panama Papers story with amazement as events have unfolded over the past few weeks. I am also certain there will be plenty more organisations to suffer similar breaches in the future. But for now, at a whopping 2.6 Terabytes this is officially the largest leak in modern history.

Articulating the value

During recent research and analysis here at The Bunker, it has become more obvious than ever that the majority of our customers are those that understand and articulate well the value that information security or cyber security (call it what you may) provides to their business.

The correlation between security of data and business success to a good degree defines the type of customer that seeks and finds the services we offer, because these are exactly the type of services that our friends in the hat (Panama variety) should have considered long before falling victim to a breach.

Indeed, more than 3 years ago I wrote about why it had become essential for CISOs and other professionals with a solid grounding in IT and security to learn the language of the boardroom and what matters to its members. But given the ever-increasing size and scale of information breaches, one can only draw the conclusion that either businesses are failing to listen, or information security professionals are failing to deliver the message in the right way.

The legislators and impending General Data Protection Regulations (GDPR) in Europe will demand businesses address this area as custodians of PI. However, this is a negative connotation of information/cyber security. Potential financial penalties and mandatory breach notifications may well be the stick, but there are many more carrots if only these can be evangelised and explained successfully at the board table.

Renewed focus

There are so many positive reasons for approaching this topic seriously. Forward-thinking businesses have already started to capitalise on the IP/PI they own by putting it on the balance sheet. This then becomes something that can be valued, and protection of said data becomes an exercise in risk management that can be more easily explained to CEOs and CFOs.

Without going to such lengths, and given that quantitative risk management is a notoriously difficult and inexact science, we have a philosophy at The Bunker that would help many explain why it’s important to do things right. Not to get a tick in the box from an auditor or get a badge on the wall, but to make businesses both more successful and more likely to succeed:

We believe Information Security enables businesses to be more competitive, manage risk, protect brand and allow innovation in a controlled manner.

The current malaise in approaching the security of data is somewhat bewildering. It is our duty as information security professionals to gain a greater understanding of why this exists and attempt until we are blue in the face to tell business leaders why it is vital to have the right people, processes, technology and, most importantly, culture within our organisations to both protect the business and make it more profitable while supporting growth in a controlled and sustainable manner.

I sincerely believe the day will come when we will all be able to look back at events such as the Panama Papers and have a more light-hearted discussion about how anyone could let such a thing happen.

Until that day though, it is incumbent on information security professionals to push for security to become an integral part of business planning by developing a compelling voice at the top table.

Learn more about embedding best information security practices within your organisation by chatting through your requirement with one of our experts on 01304 814800.