Ing. and Ing. Martin Drastich, MBA, Ph.D. has been involved in information security and personal data protection for over 15 years. He is also an active auditor and co-operates with some big names in the field. This year he has been working as lead auditor for a prominent automotive company and this is, in his words, the same as to play in the World Cup for a footballer.
You have met numerous clients during your career as an auditor for information systems security. Could you sum up how serious individual companies are about information security?
Responsible companies realise that every piece of information has its value and must be protected accordingly. It is increasingly more frequent for customers to require a certificate in information security for management systems (ISO/IEC 27001:2013), the automotive industry (TISAX – Trusted Information Security Assessment Exchange) or some fall directly under the Cyber Security Law. The peak of a career for an information security auditor in the Czech Republic is the post of Lead Auditor with Skoda Auto Plc.
On the other hand I have also met clients who are still of the opinion that ‘so far nothing has happened’ so why should they invest in information security? In connection with this, I often recall the witty remark that users are divided into two groups: those who back-up and those who haven’t lost their data yet.
We are likely to agree that the issue of information security is gaining importance. What is your opinion and what would you recommend to those who want to start taking steps in this area?
We can see the importance of security all around us. We have the example of the attack on Benešov Hospital, which was at the time widely covered in the media, which ‘switched the hospital off ‘ for 1 month. The estimated damage was CZK 60 million. This example shows that investment in security and staff training would have cost only a fraction of that amount.
Based on my fi fteen year career in the implementation of information security and auditing (ISO/IEC 27001:2013, TISAX), I must recommend approaching an experienced consultant fi rst. The fi eld is wide and the issue cannot be solved by transferring responsibility to the head of IT, quality manager or HR manager. The reason for this is that the relevant issues overlap physical security, organisation security, personnel security, ICT security (infrastructure, SW, HW, BCM back-ups, DRP, etc.), supply chain security including compliance with legal and contractual requirements.
An experienced consultant will advise on listing assets (processes, information, HW, SW, personnel, physical locations), methodology and annual risk analysis, internal audit, information classifi cation, management of security incidents, monitoring and system efficiency measurements (KPI), staff training, information security and can help prepare necessary documents.
The area of information security surely does not give much space for humorous stories but could you still give us some examples of where companies make the biggest mistakes?
The biggest mistake is that company management does not get involved in implementation (it does not allocate sufficient human resources or funding). Defining roles is often forgotten (security manager, security team, owner of assets, internal auditor, etc.) including requirements on qualifications and staff training. It is essential that a security manager holds a corresponding position in the company structure. Of course, it is vital that users are trained regularly. Threats keep developing and they get more sophisticated. Users need to know what they should pay attention to and how they should respond. It is slightly paradoxical that fire drills are compulsory but we do not get taught how to handle threats which we face
every day.
Thank you for the interview.
