The international firm Shook, Hardy & Bacon has started using their new security certification to woo potential clients. The security certification, ISO 27001, took two years and multiple consultants and analysts to obtain, but Shook’s CIO, John Anderson, thinks the work was worth it. He started the process toward obtaining the certification based on the opinions of Shook’s information governance committee because they wished to have “a methodology and a framework that ensures [they’re] using best practices for information security” and “third-party verification that proved [their] commitment to information security to external parties”, according to Anderson. Now, the hard work is paying off. Anderson states that the certification is a “differentiator” and a “competitive advantage” for the firm.
In a recent poll of 1, 322 CEOS, 61% of them listed cyberattacks as a key concern. With the average data breach costing approximately $3.8 million dollars, it’s no wonder that organizations are asking firms about how they implement cybersecurity. Some, according to John Murphy, Shook’s chair, even specifically ask if the law firm has the ISO 27001 certification. Their clients’ questions are unsurprising, considering that the firm handles highly confidential and regulated information on a regular basis, sometimes for organizations within the pharmaceutical industry.
Just having the ISO 27001 security certification isn’t necessarily enough, though. An analyst at Constellation research, Steve Wilson, explains that the certification is simply a “management process standard–it doesn’t tell you what to do exactly in security; it tells you how to go about managing the security function.” Shook’s executives point out, though, that the certification does require the firm to routinely evaluate and update their security standards, and if nothing else demonstrates their commitment to keeping their clients’ data secure. The firm, in addition to the spending required to obtain the certification, also has funds dedicated towards the other aspects of their security strategy. “We wanted to make sure we had the processes in place so [clients] had confidence that we were doing the best we could,” Murphy explains.
Article: CIO, August 28, 2015