Everything you need to know about information security in one place. If you can't find what you're looking for, contact us and we'll be happy to answer you.
There is a moment in most security programmes where the hard work of building gives way to the assumption that everything is now working. Policies have been written. Controls have been implemented. Suppliers have signed agreements. The risk assessment is done. The certification is in sight.
A security programme can have the right policies, the right controls, and the right risk assessment — and still fail operationally. The failure point is almost always the same: the people who are supposed to operate the programme don't have the skills, the resources, the information, or the tools to actually do so.
Security budgets get spent every year. Controls get implemented. Policies get written. And organisations still get breached, still miss incident notification deadlines, and still find themselves unable to demonstrate to a regulator that their measures are proportionate.
When an information security programme fails — when a breach goes undetected for months, when an incident notification deadline is missed, when a certification audit exposes gaps that should have been closed years ago — the root cause is almost never a technical one. The firewall was probably adequate. The policy probably existed. The problem was that nobody with real authority ever made security a genuine priority.
If you ask the head of security in any Slovenian organization whether they have an information security program in place, most will answer yes. If you ask them to describe the actual threats their organization faces — by sector, supply chain...
In a world where cybersecurity has become a board-level priority — not just an IT concern — two questions keep surfacing in leadership meetings: "What exactly do we need to do?" and "How do we know it's enough?" ISO/IEC 27001:2022 and ...