[Reading time: 69 seconds]

In my last article, I recommended that you focus on IRS: Implementing Reasonable Security.


Because if you’re accountable for cyber security, and if (or when) an attack or breach occurs, you will need to prove that you ensured reasonable steps had been taken to protect the organisation.

So, what does ‘reasonable’ look like?

Quick answer:

  • Do not rely on someone like me to tell you!*

Longer answer:

  • Every individual involved in cyber security will have their own opinion on what ‘reasonable’ looks like.
  • But to ensure you are covering your responsibilities appropriately, you need more than just the opinion of one individual.

And that is why…

Industry benchmarks, frameworks, and standards are excellent guides to show you what ‘reasonable’ looks like.

  • They reflect the experience of many experts (not just one individual).
  • They are frequently backed up with empirical evidence.
  • They significantly reduce the risk of you being the next victim of a cyber attack.

And the icing on the cake?

If you align / certify to one (or more of them), it is far more difficult for an outsider (e.g. a regulator, board member, or media commentator) to suggest that you did not implement ‘reasonable security’.

In the new world of Individual Accountability, this approach will significantly reduce the risks to your professional reputation and your future career prospects.

Where should you start?

There are many benchmarks, frameworks, and standards to choose from. The most appropriate choice for your organisation will depend on a number of factors, including:

  • Your firm’s risk appetite
  • The expectations of your Board, clients, and prospects
  • The expectations of your regulators (e.g. CBoI, DPC in Ireland; EBA, EIOPA in Europe; ICO, FCA, PRA in the UK).
  • The legal and regulatory landscape (e.g. DORA, GDPR in Europe).
  • The maturity of your current approach to risk management.
  • Current organisational capabilities and constraints.
  • The most likely threats to which your firm is exposed.

If you and I were in a conversation about what reasonable looks like for your organisation (>> sign up here for a SANITYin60 workshop <<), we would focus our discussion on all of these factors (and more).

From there, we would discuss the suitability, benefits, costs, and implications of frameworks, benchmarks, guidance, and standards like:

  • NIST CSF (Cyber Security Framework)
  • CIS Controls
  • Cyber Essentials (and CE Plus)
  • ISO 27001

What’s my point?

I have two:

  1. Do not rely on one individual to tell you what IRS looks like for your firm. Rely on industry benchmarks, frameworks, and standards.
  2. Recognise that IRS (‘Implementing Reasonable Security’) requires some thought. What is a good fit for one firm could be disastrous for another.

If you need help figuring out what IRS looks like for your firm, I’m here.


* PS However, as I tell my son whenever he argues about my latest house rule, I am 120% right.. 120% of the time!