The information security field is a challenging place these days. With new and increasing threats every day, staying ahead of risks can feel like treading water. There’s always a new vulnerability to address, a patch to apply, security tools to research and defenses to update. But being defensive is not a sound security plan; it’s imperative to be strategic and get ahead of attackers.
Why you need a security policy
A good security policy is a written plan for implementing and enforcing information security best practices that your executive management team has bought into. Saying that you have a firewall to protect your networks is not good enough; a perceived plan is not a policy. Saying you follow the SANS Top 20 is admirable, but you need a customized plan for implementing those 20 guidelines in your organization as a daily practice. Sure, you can start with a template from SANS, PCI, or NIST, but each and every point must be scrutinized and tailored to your specific needs; a good security policy is not a checklist. The policy should become a way of life, a mindset that you bring to the job every day. The policy should be reviewed and updated regularly as the IT landscape changes and as attackers add new technologies to their arsenals. And it is imperative that your plan be presented and endorsed by C-level staff and the board.
A good security policy is a written plan for implementing and enforcing information security best practices that your executive management team has bought into
Why is it vital to have a security policy? Because without a policy, there is no security. And compliance with the policy is the only thing that will keep you secure. Deviations from the policy create risk, increasing the chance of an attack, a breach, or data theft.
Cybersecurity belongs in the boardroom
These days, a security policy cannot just live in the IT department. A good security policy presents a strategy that is also aligned with corporate goals and objectives, integrated with other enterprise policies. Information security affects the entire organization. A breach can steal your organization’s intellectual property, it can compromise your customers’ private data, it can expose your enterprise’s confidential data, and it can damage your company’s reputation. Your plan of action must be embraced by the entire organization to protect all those assets. With so much at stake, you should get your executive management to buy into your security plans. They must understand the risks and the consequences of not implementing a comprehensive security policy. Security is everyone’s business – it must be built into the corporate conscience.
Without a policy, there is no security
In short, cybersecurity must have a seat at the boardroom table. Your security policy and systems should get the same visibility as the financial and customer systems in your organization. If the board of directors is charged with providing oversight to every aspect of the business, then they must also understand, monitor and participate in cybersecurity protective measures. In a recent Forbes article, Why It’s Time For a Board-Level Cybersecurity Committee, Betsy Atkins makes the case for a cybersecurity committee in the boardroom and a security policy that is shared with the board:
It is crucial that the board require management to present their policies on cyber security. Request that management write up their security practices and standards, and their protocol for responding to a security breach.
This is timely advice. Every CEO, board chairman, and executive manager has a personal stake in cybersecurity. But when you think about it, CIOs and CFOs have several things in common when it comes to security:
They don't know what's on the network
The network is changing all the time and visibility is not at the C-level. It is the responsibility of infosec professionals to educate top executives.
They don't have a budget for everything
You may have a stellar security policy, but if it is not backed up in the corporate budget, you can’t implement it. You need to bring security requirements to the executive conference room, because security is just as important as your financial and customer systems.
They don't know exactly what their organizations should be doing for cybersecurity
Your security policy and systems should get the same visibility as the financial and customer systems in your organization
Should they follow their peers? Should they modify and adopt a standard such as SANS? Should they go beyond the baseline standards for a more robust (and more costly) security policy? These decisions can’t be made in reaction to a threat or attack; defenses must be put in place and enforced before a crisis occurs. That requires the full endorsement and budgetary backing of your executives and the board.
A security policy protects your data, but it also protects the entire enterprise, your customers, business assets, and your corporate reputation. Whatever tools you have, whatever technologies you use, you need a security policy that aligns them together for organizational security. And your policy must be endorsed by the board to be effective. It’s time to elevate cybersecurity to the C-level.