Security Policies Matter, But Only So Much
By Kevin Beaver, CISSP
Do you have a set of security policies? Odds are you do. Practically every business does. Ask anyone in charge of IT or security to see their policies and they'll eagerly share their documentation. Similarly, for employees, ask them whether they've been told the rules for computer and internet usage and they'll reflect back on the first day of employment when they signed off on something along those lines.
On the surface, everything seems okay. Technical staff know what they want. User expectations have been set. Executive management might have buy-in and assume that all is well in terms of information security and IT-related risk management. So, the rules have been established and, presumably, everyone’s on board.
What’s the big deal?
Well, this is precisely where things tend to go sideways with security. The longer an organization goes with a well-documented set of policies while not experiencing a breach, the more a false sense of security tends to ingrain itself into the culture. The business continues to move forward with everyone on board with the rules around computer usage and sensitive information.
Yet, one day, seemingly out of nowhere, it happens. An incident, or worse, a breach occurs. And no one can figure out why.
Security policies are mere instruments to document “This is how we do things here.” And that's really it. They don't automatically enforce themselves. Nor do they translate into tangible risk reduction in any meaningful way. Still, to many, their mere presence signifies a well-run security program. Network resilience is inferred. But it’s a misguided theory – and most definitely not reality.
What is reality is that unlike computer systems, people, and processes, security policies don't get hacked. Yet, they tend to receive an inordinate amount of security attention. Considerable time, effort, and money are spent on:
- Documenting policies
- Maintaining policies
- Communicating policies to users
- Sharing policies with auditors and other outsiders
- Acquiring technical controls with the intention of enforcing the policies
This approach, in and of itself, is quite reasonable. The challenge is, it's not sustainable given the overall complexity of an enterprise security program. Resilience against attack and malfeasance is the ultimate goal, but it's rarely achieved. This is why even the largest of enterprises still get hit by someone with ill intent such as an external hacker or someone who is otherwise careless, such as an employee – oftentimes exploiting the most basic of weaknesses.
If you look at the essence of all impactful incidents and breaches, they didn't occur because of a lack of rules (i.e. policy documentation). They occurred because of a lack of discipline. Discipline on the part of technical staff to do what was necessary to enforce the rules. Discipline on the part of executive management to question and validate what is reported. Discipline on the part of users to do what they know needs to be done.
If you want to take your information security program to the next level and get it to where it needs to be, one of your focal points should be to take a look at your security policies—especially their effectiveness and value across the organization. Again, it requires discipline. Ensuring proper buy-in should be the top priority. Once you feel that part of your security program is in order, you’ll most certainly find gaps and oversights that can be mitigated while spending very little in the process. Some time and effort on the part of technical staff will be required. This process will also involve engaging users and other business leaders. Still, taking this approach to find your security blind spots, combined with ongoing discipline to see things through, will get you much closer to truly minimizing your security risks. A bonus is it will cost a lot less than acquiring yet another product or service that may end up underimplemented and not filling the necessary gaps.
Security is not easy but it's also not difficult. The world is currently going from one crisis to the next, and the least you can do is make sure this crisis-to-crisis mode isn’t the case for your business. Take a fresh look at how your policies are contributing to – or taking away from – your security program. The most important question is How? That is, how can your security challenges be best addressed to benefit the business over the long term? By asking yourself what you would do more of, do less of, or stop doing altogether, you'll quickly figure out how your security policies are working for you or against you. You don't need perfection, but you do need a plan. Shoring up the gaps in this part of your security program, not giving policies more credence than they deserve, and focusing on everything that matters might just prove one of the most valuable exercises you could ever do as a security leader.
Kevin Beaver, CISSP is an independent information security consultant, writer, and professional speaker with Atlanta, GA-based Principle Logic, LLC. With over 31 years in IT and 25 years in security, Kevin specializes in vulnerability and penetration testing, security program reviews, and virtual CISO consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has written 12 books on security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin has written over 1,300 articles on security and regularly contributes to TechTarget's SearchSecurity.com, Ziff Davis's Toolbox.com, and Iron Mountain’s InfoGoTo.com. He has a bachelor’s in Computer Engineering Technology from Southern College of Technology and a master’s in Management of Technology from Georgia Tech. In his free time, Kevin enjoys road racing his Mazda Miata in the Spec Miata class with the Sports Car Club of America (SCCA), riding dirt bikes, and snow skiing.