Network Overdrive made the strategic decision to upgrade our IT accreditation goals from NIST to ISO27001 in October 2021. The process of choosing a service provider took a little while, so we got started in December 2021. This article reflects our experience after the first 3 months – but it’s been so good we want to share it.
Starting the ISO27001 INFORMATION SECURITY MANAGEMENT certification process has already made us a better business – in just 3 months. Getting a certificate hasn’t made us a better business – we’ve just begun – so certification is a long way off.
What I want to tell you today is that just starting the process has already made us a better business.
FOCO – Fear of compliance overheads
Everyone is afraid that ISO compliance:
1. Is super-expensive
2. Take ages and
3. is just a box-ticking exercise.
I was afraid! I was afraid that I was going to spend three years and tens of thousands of dollars on the process – just to get a compliance certificate at the end of it.
I was wrong. Even if we stopped today – after just the first step -we’ve already benefited massively. Why – because it pushed us to talk WITHIN our business ABOUT our business.
Is it our excellent facilitator? Is it the design of the process? This is something I can’t say – my personal feeling is that it’s the design of the ISO process. What I KNOW I like the results we’re getting.
How has just starting already made our business better?
One major thing that the review has done is to focus our executive team ON the business. It required us to come together and TALK about our business; to do an up-to-date SWOT; to discuss our strategies and our goals and our processes.
It wasn’t just the executives either – it was a whole-business review that got people talking about and thinking about the business of Network Overdrive.
Other results so far:
- It has strengthened the relationship between our core IT workforce and the executive team.
- It has strengthened the relationship between our core IT workforce and HR.
- It has strengthened the relationship between our core IT workforce and Sales.
- It has strengthened the relationship between our core IT workforce and Admin.
How ironic is this?
We are an IT company – we have a big IT team and a strong culture that focuses on serving the needs of IT for our customers.
However, before we started the ISO27001 process, our team knew WAY more about our customers’ businesses than about how Network Overdrive runs. They didn’t know how we hire, how we market or how our finances work.
The review got them thinking about “what are the IT needs of Network Overdrive”? That shift alone has been hugely rewarding.
A big part of the security piece for us is our people
Our biggest risk is our people – hiring the right people with the right background – not just the right technical skills. So our first steps have been to upgrade our hiring and onboarding processes.
Our hiring process is better
So our hiring process now includes detailed background and police checks. We don’t just want good skills – we want good people. In a world where cybercrime has become a global industry, we see this as essential.
Our onboarding process is better
Our onboarding process has also been updated – now EVERYONE gets comprehensive computer security awareness training. We’ve always done that for the IT people who will support our customers – but we didn’t automatically do it for all the other staff we hired.
Now we do – we make sure that everyone in our business understands their responsibilities and their business technology.
Salespeople need to know the risks of their technology; finance people need to be aware of fraud strategies used by cybercriminals.
Risk involves the whole business – especially our own IT
We found we’d been assuming that business risk was something that could be managed at the executive level – which is just not possible in today’s world.
We did a review of our business goals, our business risk and our IT capability – a review that included IT (and other departments as required). We now involve our tech people in assuring that our own IT is as secure as it can be. It’s an ongoing process of security review and analysis – not just an audit.
Just having these conversations has increased people’s engagement with Network Overdrive and their loyalty to the business.
Finance is involved at a whole new level
Our risk management needs and objectives are feeding back into our budget process, involving our finance people in understanding cybersecurity at a whole new, more immediate level.
The finance people are more engaged – because the IT people are talking to them about their processes.
Asset management was a risk identified
We didn’t have an asset register. (Another irony.) Like many other companies, creating an asset register has been a “should” that finance had struggled to get around to.
Now it was an acknowledged business risk – and a business needs that IT understood as an immediate operational priority. So it’s happened. Previously, even if we had done it, it would have been a thankless task and a chore. Now that asset register is appreciated and applauded.
Everyone is involved
Before we started the process, we thought that it would be a private conversation done in a backroom by a couple of auditors talking to individuals.
It’s not. How it’s happened is that the people responsible are having the conversations – broadly.
People start to care AND they start suggesting improvements.
It’s an ongoing process, not a one-time event. The audit process requires and then checks up on our internal processes. The auditors got us to set up regular, ongoing processes and activities.
It’s enabled us to do something we were talking about anyway – finding a way to involve our people in owning and improving our business (including our security).
It’s become externally-authorised business improvement driven by the business.
As in many SME operations, previously people with ideas for improvement would have waited for the business owners to have an opinion. Not any more – this process now empowers them to step up and say “this needs improving – it’s important”.
That’s invaluable – because they know how the business works better than we do.
A combination of opportunity and obligation
This is the next step of a journey that started back in November 2020, as we became increasingly aware of two factors:
- The way cybercrime had metastasized into a global industry.
- The way that globally-recognised security standards provided businesses with access to global market opportunities.
Cyber security was ringing alarm bells as a massive threat to our customers AND customers expanding overseas brought home to us the global business opportunity.
Our first step was to review the different global standards and our existing business context. That led to a gap analysis against American cybersecurity standards set by NIST, which we began in January 2021.
That NIST audit – and the actions we immediately took as a result of it – probably saved our business from extinction in July 2021. On July 3rd 2021 at 3 am we got hacked – and so did all our customers – and we ALL survived. (I’ve told the full story here https://www.netoverdrive.com.au/how-we-our-customers-survived-a-cybercrime-attack/ )
We lifted our goals
This experience and others along the way made us lift our sights – so we decided to change our goals and go for the bigger goal – ISO27001 instead of the more technical NIST standard.
We originally chose NIST over ISO27001 because it was less onerous. We – like many others – were scared of the 3-year timeframe and what we thought would be a box-checking exercise.
What I didn’t’ realise about ISO is that what is mandatory – at least for smaller organisations – is the commitment of the management team to developing:
- Developing IT standards.
- Linking IT standards to the business to business goals.
For smaller businesses, everything else is auxiliary – you choose the pieces that apply to your business.
Shoot for the stars – or at least ISO27001 – because the payback is worth it
Don’t be put off by what “everybody knows” about standards and accreditation – which is probably rooted in 20th-century compliance thinking.
Make ISO27001 a strategy to build your business, engage your people and achieve your goals faster.
Don’t rely on your understanding of cyber security – get external expert advice, informed by rigorous international standards.
You might think you’re fine. Your IT people might think you’re fine
But will those opinions stand up to a critical evaluation by a cybersecurity expert measuring you against a rigorous international standard and the global threat level?
It’s February 2022. Russia has just invaded Ukraine and Australia has taken a stand against their move. Russian global cybercriminals – who many consider being funded by the Russian government – will not be limited by international borders.
There’s never been a better time to invest in securing and upgrading your technology security.
Not only will you protect your current business – you can ALSO expect to make it a better business.
Don’t “wonder” – let’s talk it through
I live and breathe business improvement through technology – it’s what we all do every day at Network Overdrive.
So you’re still not quite sure – then book a video call with me to talk about how ISO27001 has made my business better.