CyberSecurity

Defining Information Security Governance in Today’s Cybersecurity Landscape

BY JAIBER RIOS GIRALDO- LEAD CYBERSECURITY CONSULTANTAT SINTEZA CO SHPK

Welcome to a comprehensive exploration of the evolving landscape of information security governance, drawing insights from my last three years’ experience in the Albanian market. In this blog, we will look into the imperative concept of safeguarding the most valuable assets —information and knowledge. Join me as we navigate the intricacies of information security governance, transcending conventional boundaries, and understand why prioritizing information is paramount in today’s dynamic cybersecurity environment, especially for organizations dealing with sensitive data, such as those under the new banner of Critical Infrastructure (NIS2 EU & Project Law_2023 for Cybersecurity ALB).


The Informality Trap in Information Security Management

In the Albanian market, one prevalent observation is the informal approach to a complex topic— Information Security Management. Regardless of the size of companies, there’s a common tendency to assign everything related to information security governance to the IT Team. This informal handover can lead to overlooking the holistic nature of information security, considering it in most cases merely a technical matter rather than a strategic imperative (As a matter of fact most IT directors in the region come from a technical background).


Cultural Attitudes Towards Information Security Governance

A notable cultural aspect in relation to Project Law _2023 for Cybersecurity, is the avoidance of information security strategic topics in terms of how strategies are plan to comply and implement the new requirements considered in this important legislation. In our daily conversations when referring to this law.. It’s not uncommon for us to hear phrases like “let’s not worry about it” or comparisons to other laws that seem to fade away with time. For instance, Law 2/2017, which may have generated initial noise but subsequently lost attention. Based on my personal and professional experience, this prevailing attitude poses risks as it underestimates the importance of information security in the grand scheme of organizational information & Cybersecurity health. One thing is for sure new legislation brings with it lots of confusion and uncertainty and understanding how to become compliant and why is extremely important for you and you organization.


Law 2/2017 and the Call for Serious Consideration

For those unfamiliar with Law 2/2017, you can find more details here Law No 2/2017 on Cybersecurity . This law, while it may have faded from public discourse, holds significance. To those like me in the cybersecurity realm; to me the tendency to dismiss it echoes a broader issue—currently information security is often seen as a compliance checkbox, rather than a strategic priority that contributes to your business goals & objectives.


Security as a Top-Down Responsibility

It’s crucial to recognize that security is a responsibility that starts at the top of an organization and cascades down. This is not solely an IT matter; it’s a cultural imperative that should permeate every facet of the organization. Creating a security culture requires collective contributions, where every individual understands the importance of what they do and how they do it. This is addressed to some extend with the new Project Law_ 2023 for Cybersecurity. Which I must said is the right way forwards specially in relation to the topic of Security Responsibility and Accountability.


Why Take Information Security Seriously?

Understanding the importance of information security is not just about compliance. Compliance is about the minimum levels of security, This is about building a resilient organization and it can only be achieve based on best practices. The implications of a data breach extend beyond legal consequences—they include reputational damage, loss of customer trust, and financial ramifications. In this context it is very important to recognize that Security is an outcome not just an empty concept.


The Call to Action: Building a Security-Conscious Culture

This blog it’s a call to recognize that information security is not a topic to be relegated to the IT Team or dismissed in daily conversations. Information Security should be an integral part of your organizational culture, something that requires attention from the top leadership down to every employee. At Sinteza CO we contribute collectively to a culture where we all care about what we do and how we do it. We are here to guide and support you in your cybersecurity journey as you take the first step (Governance) towards creating a robust defense against an evolving cybersecurity landscape that is complex and difficult.


For more information on Governance, Risk & Compliance visit us at www.sinteza-al.com

Stay tuned for more insights on mastering information security.