3 Reasons a Security Policy Improves Information Security

By Eric Noonan • March 2, 2016

Product vendor’s marketing focuses on advanced persistent threats – Stuxnet, China and all of the other fear, uncertainty, and doubt (FUD) – that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization’s information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security

1: Corporations Take a Policy Seriously

Corporations tend to take policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the “why” behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time.

2: A Policy Presents an Opportunity to Lead the Security Conversation

The process of documenting, socializing and getting an executive endorsement of a security policy is an often overlooked opportunity to engage executive leadership in a conversation about security. At the top of every organization, busy executives have many number one priorities and getting security onto their already overcrowded plate is difficult, even in the age of continuous front-page data breach headlines. Creating a security policy presents an opportunity to lead the security conversation in a way that ensures the most important security agenda items are the focus of the discussion, rather than headlines about the most recent breach that may or may not be relevant to your organization.

3: A Policy Can Help Drive Resource Allocation

When endorsed and published, a policy can help drive resource allocation. Advocating for resources is often easier when the reasons for the “ask” are anchored in compliance requirements. Compliance might not be as thrilling a topic as nation-state attackers but executives understand compliance better than they ever will advanced persistent threats. You should leverage that executive understanding to secure the resources you need to accomplish your mission.
In an overworked and under-resourced security organization, I completely understand the tendency to focus on “doing things” rather than documenting things but that approach will keep you on the hamster wheel and in the long run hobble your opportunity for success.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service will assist you in successfully creating a policy for your business that will materially improve security. A security policy can be the first step in your journey to an optimized information security environment and the foundation necessary to promote the endorsed support of your executive leadership.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO