A while back I went to a lecture that opened my eyes and inspired me. It is what I look back on when times are dark and enables me to think "Information Security is possible".
The talk was started by the CEO of a large financial institution which is also heavily involved in the medical industry. Alarm bells should be ringing... because the information they have floating around their network is so private - its scary.
The CEO of the company started the talk and told us how secure they are now and how they are working on getting more secure and more to the point - how come he knows.
It seems it wasn't always that way but they are working on getting more secure. They started with a framework, defined goals, worked out a plan and ways to measure their security posture.
And it is something they are very proud of. In fact, that the CEO can talk security already is something special. That he is aware at any one time how secure he is, is more special. Well done to them.
I also had a chance to talk to someone from their competition. I mentioned this inspiring talk and asked this person how secure they are - he told me about firewalls, VPNs and that they had a "full PKI installation with non-repudiation" but gave me no measurables - just product talk. In short, he doesn't know.
There are (apparently) 2 companies in South Africa that are fully ISO27001 certified. I'm not sure what these are but 2 is a very small number. Hopefully, companies will wake up to the realities and as South Africa does more business with overseas companies, hopefully information security will become a selling point.