Product vendor’s marketing focuses on advanced persistent threats – Stuxnet, China and all of the other fear, uncertainty, and doubt (FUD) – that are almost completely out of your control. So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization’s information security policy. Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.
3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security
1: Corporations Take a Policy Seriously
Corporations tend to take policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the “why” behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time.
2: A Policy Presents an Opportunity to Lead the Security Conversation
The process of documenting, socializing and getting an executive endorsement of a security policy is an often overlooked opportunity to engage executive leadership in a conversation about security. At the top of every organization, busy executives have many number one priorities and getting security onto their already overcrowded plate is difficult, even in the age of continuous front-page data breach headlines. Creating a security policy presents an opportunity to lead the security conversation in a way that ensures the most important security agenda items are the focus of the discussion, rather than headlines about the most recent breach that may or may not be relevant to your organization.
3: A Policy Can Help Drive Resource Allocation
When endorsed and published, a policy can help drive resource allocation. Advocating for resources is often easier when the reasons for the “ask” are anchored in compliance requirements. Compliance might not be as thrilling a topic as nation-state attackers but executives understand compliance better than they ever will advanced persistent threats. You should leverage that executive understanding to secure the resources you need to accomplish your mission.
In an overworked and under-resourced security organization, I completely understand the tendency to focus on “doing things” rather than documenting things but that approach will keep you on the hamster wheel and in the long run hobble your opportunity for success.
Don’t Know Where To Start?
CyberSheath’s Strategic Security Planning service will assist you in successfully creating a policy for your business that will materially improve security. A security policy can be the first step in your journey to an optimized information security environment and the foundation necessary to promote the endorsed support of your executive leadership.