There’s a sense among many CISOs that security certifications and their related trust seals are lacking in value. Sometimes business leaders think these certifications are easy to acquire, simply by checking some boxes and forking out a fee, and that therefore they have nothing to do with a company’s actual security posture.
It’s worth noting that when SolarWinds suffered their major, reputation-damaging data breach of 2020, they held both ISO 27001 and SOC 2 Type II certifications. Neither one prevented the hack from taking place, and now the SEC has filed a suit against the company, alleging that it used cybersecurity compliance certifications as a coverup for its weak password policy and access controls.
It’s true that security certifications are no substitute for true protection, but the two ideally go together.
Unscrupulous companies have been known to use real or fake badges to pose as adhering to a level of security that they don’t come close to. More commonly, security certifications are a great place to begin, but they cannot be the end of your security measures. As the SolarWinds case demonstrates, a compliance badge doesn’t prove that your security profile is as solid as it could be.
Corporations mustn’t fall for their own advertising by believing that the security badges they display will ward off hackers. You have to constantly measure resilience, assess risks, track threats and optimise how you respond to them, even when you have a whole row of security certifications.
When approached wisely, the certification process provides a framework that is helpful for achieving a truly dependable security position. Indeed, those badges do still have value, and it's still worth it for organisations to put in the work to achieve them. Here are some of the reasons why.
They are often a prerequisite for business
In many verticals, security certifications are a must-have. For example, any tech company in the US that wants to work with healthcare organisations needs to be HIPAA-compliant; those that wish to work in finance must comply with FINRA and the Gramm-Leach-Bliley Act (GLBA); and businesses in retail or payments services must be PCI DSS-compliant.
It’s not just specific verticals, either. Some 84% of security and IT professionals agree that compliance with regulations like GDPR and CCPR are mandatory to work in their industry. These data privacy regulations are growing in scope all the time, so every company needs to ensure that all their systems are compliant.
Admittedly, security certifications aren’t the only way to achieve compliance. But they are an excellent method of testing all your processes and verifying your level of protection, with many leading frameworks demanding vigilant governance into third party-risk. One tool that streamlines third-party risk detection and monitoring is UpGuard, which continually monitors vendors and partners to reveal exposure vectors.
They put you in position to lower risk exposure
While a security certification is not a magic shield, it does improve your protection level by forcing you to review your defences methodically. Many certifications need to be renewed regularly, which means you’ll repeat vital checks and systematically verify that your security is appropriate for the threats of today, not just yesterday.
According to WeForum’s Global Cybersecurity Outlook 2023, 73% of respondents found that cyber and privacy regulations effectively reduced their cyber risks. Many organisations need help to complete these checks because they find the process so tedious, mapping out databases, user access protocols and third-party governance across sprawling infrastructure.
The cyber GRC automation solution from Cypago helps make these tasks a lot easier, with some 65% of corporate risk and compliance professionals saying that automating manual processes would help lower the complexity and cost of compliance. Cypago draws together all the data you need to analyse your risk, governing processes, and security controls, while also streamlining remediation workflows.
They improve your reputation
Security certifications can be particularly valuable for growing companies that haven’t yet had the time to build strong reputations through word-of-mouth publicity.
For a potential customer, investor, or board member who’s doing due diligence into you and doesn’t directly know anybody who’s worked with you, a security certification is something they can rely on.
In a similar vein, security certifications can help your company to stand out from the competition. If someone’s deliberating between a number of similar new organisations, a security certification from a well-respected organisation can help differentiate your business from others that don’t have the same level of visible compliance.
They promote better operational procedures
Jumping through the hoops of security certifications also tends to result in improved frameworks for business practices and performance, which increases cost savings and improves productivity.
As you complete the required reviews and audits, you’re likely to discover unnecessary apps and SaaS licenses. Eliminating these apps saves money and ensures that employees can only access the tools they need, which saves them time logging in and out of platforms and reduces time wasting.
What’s more, you’ll end up streamlining business processes by reducing friction around reporting, surveillance, and communication. Tools like BetterCloud help you track which apps are being used on a regular basis, which overlap, and which constitute a security risk, so you can easily remove those that aren’t relevant or are a threat.
They increase conversions
When visitors see a security certification badge on a website, they are more likely to feel confident about their interactions on the site and believe that the company is reliable and trustworthy.
This translates into higher sales, more positive word-of-mouth recommendations, and increased customer loyalty. Trust is vital for every transaction in any industry or vertical, so security certifications can have a similar effect in the B2B space.
Such badges reassure customers and partners that your business ecosystem is secure, all interactions are encrypted, and that any data shared with you will be protected, increasing the chances that they’ll agree to do business with your company.
Security certifications can still be valuable
Simply collecting security certifications like a boy scout collects badges can be a worthless undertaking. But these certifications can also bolster your reputation and sales and drive you to improve your security posture and operational processes. When you take them seriously and rigorously implement the attendant requirements, security certifications can help your growing business to scale.
Copyright 2023. Featured post made possible by Jeff Broth.