Virtualization Technology News and Information
Article
RSS
ISMS.online CEO Reveals Deepfake Surge and Compliance Trends in Information Security

interview isms online dash 

In an exclusive interview with VMblog, Luke Dash, CEO of ISMS.online, sheds light on the rapidly evolving landscape of information security and compliance.

ISMS.online, a leading SaaS compliance platform with over 25,000 active users, has been at the forefront of helping organizations achieve their governance, risk, and compliance goals for over 15 years. Dash discusses the surprising findings from their recent 'State of Information Security' report, including a dramatic rise in deepfake attacks, and offers insights into how businesses can protect themselves. He also explores the changing motivations behind compliance efforts and the growing trend towards ISO 27001 certification. As the information security sector continues to expand, Dash provides valuable perspectives on upcoming challenges and opportunities for enterprises in the realm of AI governance and global compliance standards.

VMblog:  Tell me about ISMS.online. What does the company do, and who are its customers?

Luke Dash:  ISMS.online is a security compliance platform that helps organizations of all sizes and maturities achieve their governance, risk, and compliance goals. We have over 15 years of experience assisting customers, originating from our founding mission to enable secure information sharing for police forces. We are now one of the leading global SaaS compliance platforms with over 25,000 active users.

Auditors worldwide recommend our platform to deliver clarity and efficiency for rigorous certifications like ISO 27001, SOC 2, HIPAA, and over 100 other global standards. We're the market-leading ISO 27001 information security management system, and thousands of customers have been certified using our platform.

Unlike many compliance solutions focused purely on automation, our platform takes a comprehensive approach by addressing people, processes, and platforms to deliver effective long-term compliance. It ensures organizations can operationalize, scale, and sustain reliable compliance that can evolve with them as they grow and the regulatory and risk landscape changes.

VMblog:  You recently put out the 'State of Information Security' report. What did you find most surprising about the research?

Dash:  There were a lot of fascinating takeaways from our recent State of Information Security report; perhaps the most surprising was the number of businesses reporting being impacted by deepfake attacks, with 35% of US businesses stating an attack of this type had impacted them in the last twelve months.

In our 2023 report, 0% of companies reported being affected by deepfakes, which goes to show how fast-moving the risk landscape is for businesses, and the challenges of ensuring robust security controls to keep data, systems and information secure.

It was also great to see companies' more business-focused approach to compliance. 34% stated their primary reason for undertaking compliance activities was to increase customer demand, protecting business information accounted for 33%, and the need to remain competitive accounted for 30%. Just 19% of businesses cited avoidance of fines and penalties as their primary motivation for compliance and robust information security.

We know that integrating frameworks like ISO 27001 into your business strategy protects your business from damaging regulatory implications, but it also embeds a strategy and culture that will ensure sustainable long-term success, not just short-term gains. Seeing the needle move away from the 'check box' approach and towards the realization that good information security compliance is the foundation to business growth and success is, one, about time, and, two, a really positive change in focus for all businesses.

VMblog:  Since businesses are dealing with deepfakes to such a large extent, what approach do you suggest they take to protect themselves and their assets better?

Dash:  Action is needed on multiple fronts to counter the rising tide of deepfake attempts. A shift in mindset and a comprehensive educational drive is required at a basic level.

Awareness of deepfakes and their prevalence and effectiveness need to grow quickly. Deepfakes primarily rely on exploiting the human element within organizations - deceiving individuals - so delivering training programs to educate your employees about deepfake risks and how to recognize them is essential. Gamification, for example, emerged as a key means of improving cybersecurity skills and awareness in our report, with almost 30% of companies identifying it as one of the most effective training methods.

From our perspective, establishing clear policies and procedures for handling deepfake incidents or, indeed, any cyber incident is essential. This should include guidelines for verifying communications, responding to threats, ensuring compliance with relevant regulations and developing comprehensive incident response plans.

As with most cyber risks, leveraging the tools and technologies available is an obvious line of defense. Advanced detection tools that can analyze audio and video for inconsistencies and real-time monitoring systems that detect threats as they occur can help identify issues before they become too serious.

However, more than technology and employee awareness are required. Leaders must take a systematic approach to identifying and treating areas of vulnerability across their entire business. This is where adhering to standards, such as ISO 27001, becomes invaluable. By aligning with the ISO 27001 standard, organizations can establish a robust security posture encompassing technological controls, governance measures, and regular assessments. This addresses technical vulnerabilities and reinforces the importance of organizational policies and employee training.

VMblog:  Moving over to why businesses get and remain compliant, how does compliance help them stay competitive? How does that work

Dash:  Too often, compliance obligations are seen as restrictive burdens, diverting focus from core business goals. However, compliance only stifles organizations that tack on standards as a reluctant checklist item divorced from broader growth objectives. When tightly integrated into business operations and strategy, your governance, risk management, and compliance (GRC) frameworks become valuable investments that compound over time to build robust foundations for trust, efficiency, innovation and competitive growth.

Meeting GRC certifications unlocks access to new markets, particularly in regulated industries and the public sector. Compliance is not just a requirement but a gateway to vital new opportunities. These practices also drive operational excellence by optimizing resource utilization and exposing inefficiencies, transforming business operations into leaner, more secure, and more effective systems.

Robust compliance measures also ensure better protection of supply chains, reducing exposure to risks and enhancing due diligence in supplier selection and monitoring. This is highly relevant right now, given the flurry of supply chain incidents hitting the headlines.

When harnessed correctly, customer insights, product performance metrics, and other intelligence streams inform personalized offerings, predictive models, and improved decision-making. But to do this correctly, you need the kind of good governance that comes with solid compliance practices.

We understand it can feel overwhelming for businesses looking to improve their existing setup and realize the additional business benefits compliance can offer, which is why working with established GRC platforms can simplify their journey.

We created ISMS.online to enable businesses to unlock sustainable compliance that works with a company, not against it. What started with ISO 27001 compliance now includes over 100 additional global regulatory standards and frameworks, including SOC 2, HIPPA, GDPR, Essential 8, and more. We have created one platform to deliver all your compliance needs and scale with you as you grow.

Leveraging our SaaS platform can remove many of the barriers to implementation businesses face and get you on the growth path. We centralize compliance management into one place, provide real-time updates on regulations as they're amended, automate task workflows to ensure new requirements are flagged with the correct teams and resources internally, streamline audit preparation, identify gaps in compliance processes, enable evidence of compliance all of which is highly time, resource and cost-effective.

Our platform takes a comprehensive approach, addressing people, processes, and systems to deliver effective long-term compliance so organizations can operationalize, scale, and sustain reliable protections that can evolve with emerging threats.

VMblog:  The topic of AI is everywhere today. What is ISO 42001, and what does it call for?

Dash:  The ISO 42001 standard provides organizations with a framework for establishing, implementing, maintaining and continually improving an artificial intelligence management system (AIMS).

The standard aims to embed ethical principles throughout the AI lifecycle, ensuring respect for user privacy, avoiding bias, and upholding fairness and inclusivity. It emphasizes transparency and accountability, making AI systems and algorithms more understandable and trustworthy for stakeholders and establishing clear accountability lines in AI operations.

Additionally, ISO 42001 focuses on risk management by identifying, assessing, and mitigating risks related to data security, user privacy, and potential biases, thus safeguarding against operational vulnerabilities. It also advocates a culture of continuous improvement by encouraging regular reviews and refinements of AI strategies, policies, and procedures.

With incoming regulations like the European Union AI Act, which will require all relevant organizations to be compliant on a phased timeline up to early 2026, ISO 42001 will also enable organizations to get the majority of the way to compliance with this and other regulations that will most certainly follow globally.

VMblog:  What are some tangible steps enterprises can take to meet ISO 42001? How can they be prepared for it?

Dash:  Businesses aiming to comply with the ISO 42001 AI standard should take several strategic steps. First, it is essential to understand the standard's requirements and thoroughly assess your current AI systems to identify what you're using, where and whether it sits within an extended supply chain. Developing robust ethical guidelines and transparency measures and enhancing governance frameworks are crucial to ensuring alignment with ISO 42001 principles.

Additionally, businesses must strengthen their technical infrastructure to enhance the robustness and security of AI systems and establish continuous monitoring and evaluation processes. Engaging with stakeholders to understand their concerns and expectations is vital for maintaining transparency and trust.

Continuous improvement is key, and staying updated with the latest developments in AI ethics and standards will ensure ongoing compliance. For comprehensive guidance through this process, businesses can leverage platforms like ISMS.online, which provide structured support and resources to navigate the preparation and certification journey for ISO 42001 effectively. With our customer, AI Clearing, we supported the world's first ISO 42001 certification, so we know how it works and how to get organizations compliant.

VMblog:  Sticking with compliance, what trends do you see impacting enterprises?

Dash:  The growing importance of information security is driving customer adoption of standards and compliance platforms. If you look at the number of certificates issued annually, specifically starting with ISO 27001, it is growing by more than 40% a year. With increasing global regulation and compliance matrices within which businesses must work, I can only see the sector growing exponentially over the next three years.

There has also been a noticeable shift away from SOC 2 compliance towards ISO 27001 certification among organizations. This could be for a variety of reasons, not least that ISO 27001 is globally recognized, whereas SOC 2 is primarily seen as a US-focused standard.

The international recognition of ISO 27001 makes it particularly advantageous for companies with a global presence, those aiming to expand internationally, or those operating within international supply chains. The formal certification process by an independent certification body in ISO 27001 also gives organizations tangible proof of security that is attractive to businesses wanting to ensure they work with companies that operate securely​.

What this trend most definitely highlights is the importance of global applicability and the requirement for more comprehensive security frameworks by businesses seeking to execute sustainable and effective compliance.

##

Published Tuesday, August 06, 2024 7:31 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<August 2024>
SuMoTuWeThFrSa
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567