In an exclusive interview with VMblog, Luke Dash, CEO of ISMS.online, sheds light on the rapidly evolving landscape of information security and compliance.
ISMS.online, a leading SaaS compliance platform with over 25,000 active users, has been at the forefront of helping organizations achieve their governance, risk, and compliance goals for over 15 years. Dash discusses the surprising findings from their recent 'State of Information Security' report, including a dramatic rise in deepfake attacks, and offers insights into how businesses can protect themselves. He also explores the changing motivations behind compliance efforts and the growing trend towards ISO 27001 certification. As the information security sector continues to expand, Dash provides valuable perspectives on upcoming challenges and opportunities for enterprises in the realm of AI governance and global compliance standards.
VMblog: Tell me about ISMS.online. What does the company do, and who are its
customers?
Luke Dash: ISMS.online is a security compliance platform that helps organizations
of all sizes and maturities achieve their governance, risk, and compliance
goals. We have over 15 years of experience assisting customers, originating
from our founding mission to enable secure information sharing for police
forces. We are now one of the leading global SaaS compliance platforms with
over 25,000 active users.
Auditors worldwide recommend our platform to deliver clarity
and efficiency for rigorous certifications like ISO 27001, SOC 2, HIPAA, and
over 100 other global standards. We're the market-leading ISO 27001 information
security management system, and thousands of customers have been certified
using our platform.
Unlike many compliance solutions focused purely on
automation, our platform takes a comprehensive approach by addressing people,
processes, and platforms to deliver effective long-term compliance. It ensures organizations
can operationalize, scale, and sustain reliable compliance that can evolve with
them as they grow and the regulatory and risk landscape changes.
VMblog: You recently put out the 'State of
Information Security' report. What did you find most surprising
about the research?
Dash: There were a lot of fascinating takeaways from our recent
State of Information Security report; perhaps the most surprising was the
number of businesses reporting being impacted by deepfake attacks, with 35% of
US businesses stating an attack of this type had impacted them in the last
twelve months.
In our 2023 report, 0% of companies reported being affected
by deepfakes, which goes to show how fast-moving the risk landscape is for
businesses, and the challenges of ensuring robust security controls to keep
data, systems and information secure.
It was also great to see companies' more business-focused
approach to compliance. 34% stated their primary reason for undertaking
compliance activities was to increase customer demand, protecting business
information accounted for 33%, and the need to remain competitive accounted for
30%. Just 19% of businesses cited avoidance of fines and penalties as their
primary motivation for compliance and robust information security.
We know that integrating frameworks like ISO 27001 into your
business strategy protects your business from damaging regulatory implications,
but it also embeds a strategy and culture that will ensure sustainable
long-term success, not just short-term gains. Seeing the needle move away from
the 'check box' approach and towards the realization that good information
security compliance is the foundation to business growth and success is, one,
about time, and, two, a really positive change in focus for all businesses.
VMblog: Since businesses are dealing with deepfakes to such a
large extent, what approach do you suggest they take to protect themselves and
their assets better?
Dash: Action is needed on multiple fronts to counter the rising
tide of deepfake attempts. A shift in mindset and a comprehensive educational
drive is required at a basic level.
Awareness of deepfakes and their prevalence and
effectiveness need to grow quickly. Deepfakes primarily rely on exploiting the
human element within organizations - deceiving individuals - so delivering
training programs to educate your employees about deepfake risks and how to recognize
them is essential. Gamification, for example, emerged as a key means of
improving cybersecurity skills and awareness in our report, with almost 30% of
companies identifying it as one of the most effective training methods.
From our perspective, establishing clear policies and
procedures for handling deepfake incidents or, indeed, any cyber incident is
essential. This should include guidelines for verifying communications,
responding to threats, ensuring compliance with relevant regulations and
developing comprehensive incident response plans.
As with most cyber risks, leveraging the tools and
technologies available is an obvious line of defense. Advanced detection tools
that can analyze audio and video for inconsistencies and real-time monitoring
systems that detect threats as they occur can help identify issues before they
become too serious.
However, more than technology and employee awareness are
required. Leaders must take a systematic approach to identifying and treating
areas of vulnerability across their entire business. This is where adhering to
standards, such as ISO 27001, becomes invaluable. By aligning with the ISO
27001 standard, organizations can establish a robust security posture
encompassing technological controls, governance measures, and regular
assessments. This addresses technical vulnerabilities and reinforces the
importance of organizational policies and employee training.
VMblog: Moving over to why businesses get and remain compliant,
how does compliance help them stay competitive? How does that work
Dash: Too often, compliance obligations are seen as restrictive
burdens, diverting focus from core business goals. However, compliance only
stifles organizations that tack on standards as a reluctant checklist item
divorced from broader growth objectives. When tightly integrated into business
operations and strategy, your governance, risk management, and compliance (GRC)
frameworks become valuable investments that compound over time to build robust
foundations for trust, efficiency, innovation and competitive growth.
Meeting GRC certifications unlocks access to new markets,
particularly in regulated industries and the public sector. Compliance is not
just a requirement but a gateway to vital new opportunities. These practices
also drive operational excellence by optimizing resource utilization and
exposing inefficiencies, transforming business operations into leaner, more
secure, and more effective systems.
Robust compliance measures also ensure better protection of
supply chains, reducing exposure to risks and enhancing due diligence in
supplier selection and monitoring. This is highly relevant right now, given the
flurry of supply chain incidents hitting the headlines.
When harnessed correctly, customer insights, product
performance metrics, and other intelligence streams inform personalized
offerings, predictive models, and improved decision-making. But to do this
correctly, you need the kind of good governance that comes with solid
compliance practices.
We understand it can feel overwhelming for businesses
looking to improve their existing setup and realize the additional business
benefits compliance can offer, which is why working with established GRC
platforms can simplify their journey.
We created ISMS.online to enable businesses to unlock
sustainable compliance that works with a company, not against it. What started
with ISO 27001 compliance now includes over 100 additional global regulatory
standards and frameworks, including SOC 2, HIPPA, GDPR, Essential 8, and more.
We have created one platform to deliver all your compliance needs and scale
with you as you grow.
Leveraging our SaaS platform can remove many of the barriers
to implementation businesses face and get you on the growth path. We centralize
compliance management into one place, provide real-time updates on regulations
as they're amended, automate task workflows to ensure new requirements are
flagged with the correct teams and resources internally, streamline audit
preparation, identify gaps in compliance processes, enable evidence of
compliance all of which is highly time, resource and cost-effective.
Our platform takes a comprehensive approach, addressing
people, processes, and systems to deliver effective long-term compliance so organizations
can operationalize, scale, and sustain reliable protections that can evolve
with emerging threats.
VMblog: The topic of AI is everywhere today. What is ISO 42001,
and what does it call for?
Dash: The ISO 42001 standard provides organizations with a
framework for establishing, implementing, maintaining and continually improving
an artificial intelligence management system (AIMS).
The standard aims to embed ethical principles throughout the
AI lifecycle, ensuring respect for user privacy, avoiding bias, and upholding
fairness and inclusivity. It emphasizes transparency and accountability, making
AI systems and algorithms more understandable and trustworthy for stakeholders
and establishing clear accountability lines in AI operations.
Additionally, ISO 42001 focuses on risk management by
identifying, assessing, and mitigating risks related to data security, user
privacy, and potential biases, thus safeguarding against operational
vulnerabilities. It also advocates a culture of continuous improvement by
encouraging regular reviews and refinements of AI strategies, policies, and
procedures.
With incoming regulations like the European Union AI Act,
which will require all relevant organizations to be compliant on a phased
timeline up to early 2026, ISO 42001 will also enable organizations to get the
majority of the way to compliance with this and other regulations that will
most certainly follow globally.
VMblog: What are some tangible steps enterprises can take to meet
ISO 42001? How can they be prepared for it?
Dash: Businesses aiming to comply with the ISO 42001 AI standard
should take several strategic steps. First, it is essential to understand the
standard's requirements and thoroughly assess your current AI systems to
identify what you're using, where and whether it sits within an extended supply
chain. Developing robust ethical guidelines and transparency measures and
enhancing governance frameworks are crucial to ensuring alignment with ISO
42001 principles.
Additionally, businesses must strengthen their technical
infrastructure to enhance the robustness and security of AI systems and
establish continuous monitoring and evaluation processes. Engaging with
stakeholders to understand their concerns and expectations is vital for
maintaining transparency and trust.
Continuous improvement is key, and staying updated with the
latest developments in AI ethics and standards will ensure ongoing compliance.
For comprehensive guidance through this process, businesses can leverage
platforms like ISMS.online, which provide structured support and resources to
navigate the preparation and certification journey for ISO 42001 effectively.
With our customer, AI Clearing, we supported the world's first ISO 42001
certification, so we know how it works and how to get organizations compliant.
VMblog: Sticking with compliance, what trends do you see
impacting enterprises?
Dash: The growing importance of information security is driving
customer adoption of standards and compliance platforms. If you look at the
number of certificates issued annually, specifically starting with ISO 27001,
it is growing by more than 40% a year. With increasing global regulation and
compliance matrices within which businesses must work, I can only see the
sector growing exponentially over the next three years.
There has also been a noticeable shift away from SOC 2
compliance towards ISO 27001 certification among organizations. This could be
for a variety of reasons, not least that ISO 27001 is globally recognized,
whereas SOC 2 is primarily seen as a US-focused standard.
The international recognition of ISO 27001 makes it
particularly advantageous for companies with a global presence, those aiming to
expand internationally, or those operating within international supply chains.
The formal certification process by an independent certification body in ISO
27001 also gives organizations tangible proof of security that is attractive to
businesses wanting to ensure they work with companies that operate securely.
What this trend most definitely highlights is the importance
of global applicability and the requirement for more comprehensive security
frameworks by businesses seeking to execute sustainable and effective
compliance.
##