Can you measure the maturity of information security practices?
Do you know Iceland? So many questions...
It's a country in the far North of Europe with about 300 000 inhabitants. It's the least populated area in Europe. Given that Greenland doesn't really count I assume...
In its own and unique ways it's a little like Hobbiton. Icelanders don't care much about the "Big Folk" from the rest of Europe. And the Big Folk doesn't care much about Icelanders.
But when a couple of cyber-sorcerers from the University of Oxford showed up recently, the local ministry invited to a magical round-table.
The wizards of Oxford are conducting a study. They travel, also to warmer countries, like Jamaica or New Zealand.
And they ask questions, during open round tables. To research cyber-psychology and other mystical things, together with us local experts.
As a foreigner the world of the Big Folk is known to me; I am exotic here. But I also know that Icelanders don't suffer from identity theft, or other side effects of data thefts which affect companies world-wide.
In Iceland everybody knows each other's social security number. That's not a joke: it's the birthday plus 4 random numbers, which are easy to remember. You need a Kennitala for the gym, or for to rent an off-road car. Or to buy a computer. Or to login somewhere. It's like a user name.
Icelanders don't have issues with scam or phishing, due to the language barrier. They also don't perceive threats, like from ill-minded campaigns such as "Fire Fairy". Kids here tend to get better at English. They'd understand the messages. But there is a major difference between being able to speak a language, and trusting the words of another language.
So yes: the risk culture is very different. I work for a multi-national company, with an international security culture; different from the local Icelandic companies. Usually local businesses don't get that big. Usually local Icelandic businesses care less. Whether that's okay or not is a difficult question.
We do not secure computers for the sake of computers, but to act responsibly as a society.
GDPR and NIS - Iceland is not exempt. Neither are SMBs.
A surprising number of businesses is not informed about GDPR and NIS. That's not due to a lack of material.
My estimation is that 50% of the businesses will care, and the other 50% won't. The problem is that current international advice tries to render a PCI-DSS style spending-scenario by commercializing the privacy compliance efforts. This way fresh consultants try to convince established companies to process-manage data-privacy issues away with new investments. Whether that enables the right adjustments is not known, because the EU regulators have not given much concrete advice. So it's a bet, and you don't need to be a genius to figure that one out.
One issue with these regulations is, that many EU member states have translated them into national laws, but haven't explained how to proportionally apply them.
For many small and mid sized business expertise upon ways to archive GDPR compliance in synergistic fashion with standards like ISO 27000s (which has concrete ways related to GDPR Article 26, confidentiality, integrity, availability and resilience of processing systems) is only available via international consulting companies. And not in Iceland.
So, what about SMBs? Executives of SMBs in Iceland do not see the law of data security and privacy as an important matter. As long as the market doesn't demand it, this has "low or no priority". They do not expect fines, because the regulators would need to assess and audit the company. In Iceland. Not likely to happen.
My thinking is, that in 2018 some of them might see requests of international business partners for data-privacy compliance. But contracts can be abstract.
Information security training - how to collaborate and exchange knowledge
This is not a hot topic in Iceland.
I found that many autodidacts criticize the popular Information Security certificates, based on arguments which have very little to do with the related training content or code of ethics. Personally I see a lot of value in an enforced code of ethics, like GIAC has it.
Generally I see that information security certifications are requested from newcomers into the field. That is not a good tendency, especially for compliance related certs and assignments. These certs do not replace experience, which can become very obvious during a SoX or PCI-DSS audit. Reality can be harsh.
Personally I tend to see certifications as helpful indicators, given that I personally wasn't satisfied with my university curriculum regarding information security. There simply was not a single course, although I studied Computer Science in Germany, and graduated in 2012. I learned a lot in an auto-didactic fashion, and decided to surface this through certificates later.
Icelanders don't see the need to pursue information security certificates and focus a lot on experience (years, company, position...). Iceland is very small. Chances are good that you know all security professionals within the country.
Threats to Iceland - information security & economy
From what I hear Jamaica has the problem, that the country's IT infrastructure gets abused as a hub to enable fraud, piracy or other kinds of abuse. Iceland could become such a hub for the EU zone. There is very little awareness on information security. That makes it hard to import and adapt imported products, from an American risk culture mindset.
The Icelandic government has no awareness programs, and as far as I know (we probably have the biggest infrastructure in Iceland) there is no CERT. We have had major DDoS attacks, which should have triggered at least some reaction.
- Iceland is very small. If it happens, it happens. Vaðlaheiðarvegavinnuverkfærageym-sluskúraútidyralyklakippuhringur
I find the classification from the Oxford Cyber Security Maturity Model (CMM) useful. Take a look at page 27:
I often hear, that it's hard to hire information security professionals.
My answer usually is, that you probably don't have a profile for the position, and that this is the reason why you don't know what you need. Take a look at the Established column and you see what I mean: "precise roles and responsibilities".
It's hard to hire one professional for all the responsibilities. It's hard to hire information security professionals in general, if you don't have an established approach. I suggest that's where you need to get started. Most people I know in the field of information security would not work for Start-Ups (excluding their own one) or Formative businesses.
No one knows every aspect, which is tangented by information security. Certified or not. There is no generalist, with a "mixology" of all trades. Getting InfoSec skills isn't like mixing a skill cocktail based on buzzwords, that hit the CV filters. Every professional has his small island, from which he rises. Whether it's icy or not An information security professional works with a company, often as a liaison with compliance or regulatory authorities. Or as an independent control and checkpoint.
However if you are also a skilled bartender, you might have got a great future ahead of you. Just make sure your clients are old enough to drink.