3 Reasons a Security Policy Improves Information Security

By Eric Noonan • March 2, 2016

Product vendor’s marketing focuses on advanced persistent threats – Stuxnet, China and all of the other fear, uncertainty, and doubt (FUD) – that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization’s information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security

1: Corporations Take a Policy Seriously

Corporations tend to take policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the “why” behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time.

2: A Policy Presents an Opportunity to Lead the Security Conversation

The process of documenting, socializing and getting an executive endorsement of a security policy is an often overlooked opportunity to engage executive leadership in a conversation about security. At the top of every organization, busy executives have many number one priorities and getting security onto their already overcrowded plate is difficult, even in the age of continuous front-page data breach headlines. Creating a security policy presents an opportunity to lead the security conversation in a way that ensures the most important security agenda items are the focus of the discussion, rather than headlines about the most recent breach that may or may not be relevant to your organization.

3: A Policy Can Help Drive Resource Allocation

When endorsed and published, a policy can help drive resource allocation. Advocating for resources is often easier when the reasons for the “ask” are anchored in compliance requirements. Compliance might not be as thrilling a topic as nation-state attackers but executives understand compliance better than they ever will advanced persistent threats. You should leverage that executive understanding to secure the resources you need to accomplish your mission.
In an overworked and under-resourced security organization, I completely understand the tendency to focus on “doing things” rather than documenting things but that approach will keep you on the hamster wheel and in the long run hobble your opportunity for success.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service will assist you in successfully creating a policy for your business that will materially improve security. A security policy can be the first step in your journey to an optimized information security environment and the foundation necessary to promote the endorsed support of your executive leadership.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security