You may have heard the advice "Good Security Programs Begin and End with Policy" -- an assertion that is being popularized by at least one online cybersecurity training program. We disagree. Here, we'll share why.
Let's start at the beginning. Why do infosec policies exist at all? Imagine this scene. A company lacks an infosec policy. A well-meaning employee of the company, without any intent of ill will, discloses some important piece of company information to an outsider. Word gets around, and the management team concludes that they need to set expectations with the rest of the company, about how to handle company information in a secure manner. A policy is born.
Although we don't think we can pinpoint the precise circumstances of how the first infosec policy came into existence, we've got a pretty good guess that it was a situation similar to the above one. Sure, some other infosec policies came about from more of a "CYA" motivation, but we think that become more commonplace later in the evolution of infosec policies becoming a norm and expectation. So, if you'll bear with us here and let us continue with the belief that infosec policies came about as a way to set guardrails so that well-meaning employees knew how to handle information safely, we'll dig deeper into the philosophy of how those policies fit into a broader security program.
The phrase "Good Security Programs Begin and End with Policy" leaves us concerned. No doubt the policy is important, but if the policy is intended to help employees understand the do's and don'ts of security, we've got a strong opinion about how to do that. The way to help employees turn policy into practical/safe day-to-day behaviors, is to supply tooling that helps them make the policy real. How about an example?
What if the policy states that employees must use a unique password on every website that they use for business purposes? That's a reasonable --and highly desirable -- policy. This type of policy, if the employees actually follow it, can help the company avoid information disclosure exposure across multiple websites when a single website is hacked. If "good security programs begin and end with policy" then maybe just stating this policy is enough? Maybe everyone will spring into action and gleefully comply with the policy? Maybe not.
Companies rolling out this type of policy, really should be supplying their employees with a password manager that has the ability to easily generate strong/random passwords. By giving employees a password manager that generates strong passwords easily, employees have a straightforward way to comply with the policy. We call that the "process" of complying to the policy. And without a process that employees actually follow, the policy is worth zilch.
Suppose an executive in your company asks how the company's infosec policies are going. Are the policies going well? Are people following them?
This is a wise question to ask. But, it's an awkward one for companies that believe that "good security programs begin and end with policy" -- because there is a very good chance that they lack the process and proof to discern how effective the policy is. Let's continue our example about the policy of requiring employees to use a unique password on every website. And, let's suppose that the company does supply employees with a password manager that makes it easy to comply with the policy. In that situation, it should be EASY to answer the question of whether/not employees are following the policy. Most business-grade password managers have administrative dashboards that make it easy to discern how well the team is doing at using unique passwords on every site.
In other words, there is "proof" that the policy is being followed.
At Havoc Shield, we believe that the best organizations set out to implement policy in conjuction with process, empowering employees to easily follow the policy. When that happens, it's a whole lot easier to see proof that the policy is being followed. And if that's the case, then the policy has been effective in a way that is measurable and sustainable.
So, do good security programs begin and end with policy? We don't think so. We think good security programs begin with policy, include process, and lead to excellent proof. If this approach appeals to you, please feel free to get in touch, we'll be glad to be your partner in your company's cybersecurity journey.