“It's not personal...”

An information breach can be devastating to any business, and the high profile ones that hit the news are just the tip of the iceberg.

In the last few years the game has changed – rather than suffering the equivalent of targeted burglary, you're much more likely now to be mugged at random regardless of the value of your information assets, and even nation states are increasingly involved.

So if you're vulnerable you're eventually going to suffer a breach, and the repercussions of even a minor breach are ever more severe due to the increasing stringency of regulatory requirements.

But even without getting hacked it's possible to fall foul of the growing complexity of compliance obligations, and whether you suffer a technology breach or fail in compliance, the consequences are ultimately the same for the business

public image – long term reputational damage
financial – penalties and loss of revenue
market position – share price hit

Although many fundamental controls are implemented using technologies, without strategic planning and tactical oversight of the entire corporate information risk space they can do little more than respond reactively to individual technical threats as they are identified. This leaves the organisation wide open to breaches that either pass beneath the radar or are not technological in nature. Common areas where businesses of all sizes come unstuck include

the minefield of international personal data protection obligations
compliance with the Payment Card Industry Data Security Standard
keeping track of increasingly unstructured information processing
the uncertainties of reliance on mobile and cloud services

Such aspects of information risk are primarily business, not technological, issues. Both reducing the likelihood and scale of breaches and maintaining compliance require a strategic approach based on the specific requirements of your organisation. Robust process management, not technology, is the primary key to success.

Integrated InfoSec specialises in defining, implementing and remediating strategic frameworks and tactical processes for managing corporate information risk.