How secure is my company?

How can we support you with your software project?

Michael Russo

Medium-sized businesses are heavily targeted by cybercriminals these days because they have a lot of valuable data, but usually don’t have the same resources to protect it. But why is information security so essential in today’s world? And what are the essential steps companies must take to effectively protect themselves from cyber threats? In this interview, our information security expert Michael shares indispensable insights and valuable tips for a cybersecurity strategy that works.

The ISO/IEC 27001 certification occupies a significant position in this regard. As a leading international standard and authoritative certification in the field of cybersecurity, it provides guidelines for structuring, implementing, monitoring and improving information security measures.

5 questions for soxes security expert Michael Russo

What advice would you give to other companies regarding information security?  

Michael Russo: It is important to be aware of your security gaps and to invest in information security. A cyber attack can cost a company dearly. A good start is to increase employees’ awareness of this issue. Attackers often take advantage of employees’ ignorance to infiltrate malware – e.g. via a phishing email – into a company.

Which protective measures are particularly relevant for SMEs?  

The biggest risk factor for any company is and remains the human factor. Increasing employees’ awareness of cybercrime is therefore the first and most important measure in my view. Companies must recognise their individual points of attack, know their systems and ensure that someone takes responsibility for their updates.

Despite all caution, an attack cannot be ruled out. It is therefore advisable to have a Business Continuity Plan (BCP), which lists in detail which systems are indispensable and how the company must react in an emergency. To keep the consequences of an attack as low as possible, backups of the most important applications, which must be stored outside the company network, are always suitable.

The biggest risk factor for any company is the human itself.

Michael Russo. CISO soxes AG

What are your main tasks as Information Security Officer? 

I primarily maintain and expand our information security management system (ISMS). I support our departments with the following tasks:

Conduct risk analysis and define measures
Define and implement improvement targets
Regular performance reviews using defined KPIs
Regular communication with internal stakeholders regarding the status of the ISMS
Create training plans for employees
Regular updating of guidelines and process descriptions

This year, soxes has again been awarded ISO/IEC 27001 certification: What does this mean exactly?  

ISO/IEC 27001 certification is not a one-off exam that you pass and then forget about. Compliance with the requirements is checked annually by an external, accredited auditor. Particular attention is paid to continuous improvement, which is specifically required by ISO/IEC 27001. The beauty of this requirement is that you don’t have to start “perfect”. As a company, you make sure that all requirements are met, then gain experience in practical application and improve what turns out to be unsuitable or insufficient.

How well secured is soxes in dealing with cyber threats?  

ISO/IEC 27001 gives us a long list of reference measures. It provides a comprehensive and great framework for improving our own security. Thanks to the implementation of these and some other measures, we now feel very well secured. However, it is important not to just sit back and rest. We remain vigilant and keep ourselves informed about the latest, possible security gaps and threats.

How can we support you with your software project?