Good and Bad Policies
Policies can be right or wrong, helpful or harmful, carefully considered or ill-conceived. The cybersecurity manager needs to know what they are dealing with because an inferior policy can give a bad impression about security. On the other hand, if done properly, policies can boost the security stature of the organisation. Departments usually accept and follow policies that they helped develop and write more than policies that are forced upon them. It’s a good idea for the cybersecurity manager to make a list of existing policies, along with remarks about their quality and acceptance within the organisation. Quite often, the cybersecurity manager is the one who will be maintaining and developing the policies going forward.
To find out what policies are in place, the cybersecurity manager must ask about them. When meeting with management, the cybersecurity manager should ask if there is a policy, if it makes sense, and if people follow it. Four possible answers will follow. First, maybe there is no written policy—it’s ad hoc. Second, perhaps there is a policy, but no one follows it—it’s just a dead paper. Third, the cybersecurity manager might discover there is a policy, and it’s been announced and supported by management, so people know about it. And fourth, even better, the lucky cybersecurity manager might find out there is a policy, it makes sense, and people are following it.
Types of Policies
Cybersecurity managers, who work with technology and systems, will likely work with, and perhaps create, some technical-oriented policies. They also need to be aware of management’s perspective; often the main challenge is to translate the will of management into tech speak. For instance, imagine the director says, “I don’t want anyone weird accessing our information without permission. Make it our policy!” The cybersecurity manager would need to understand that as, “Every user who can access company information needs to have access rights approved by management.” Then the cybersecurity manager must translate the message further to make it implementable. At that level, the policy says that adding new users requires the IT service desk to request authorisation from direct superiors of the employee and that the user needs to reset his or her password on first login.
Many big companies use Active Directory in Windows environments, for example, as user management for the entire organisation. Security settings, policies, and technical policies are controlled centrally from that one centralised system. Since so much depends on it, there might need to be a policy about how to manage security with it.
Similarly, many companies need policies about safely using cloud services. Most companies today are using these services, whether Office 365 or Google Enterprise Services, or another service where everything is stored in the cloud. In the future, they might not own their email servers or their storage space for documents. When that happens, and it has already happened to many companies, they will need a policy about how to safely use those services and to determine what is acceptable and what is not.
Cybersecurity managers might be surprised that policies may also be required for third-party services that aren’t managed by the company, such as social media accounts. Social media might not pose an obvious security issue, but what if employees act recklessly on Facebook? (Just like Mr. Trump is jeopardising America’s reputation with his constant Tweets.) That could cause problems for the company, so almost every organisation now has some sort of social media, or “digital citizenship,” guidelines.
Failure to set up policies leaves the company vulnerable. Let’s say people use weak passwords when they sign up for online accounts, or they reuse their work password and email address outside of work, like at their fitness club or for online shopping. If there is a breach in the third-party service, hackers will have their work username and password. This happens a lot, along with Trump-ish behaviour, making these policies necessary. External services come in two varieties: those that the company supports and tries to get users to adopt and those that users choose without company support. We haven’t found any company that doesn’t have both kinds, and cyber exposure comes from both sources. The company can largely control the first type of service, but the second one is subject to the user’s discretion. It only takes a single user—many businesses have had their information stolen because one user decided to store their information on external file storage and sharing service. When that service was breached, hackers were able to steal the data. It happens a lot.
The company not only needs to make a statement about user-installed third-party services, but a good cybersecurity manager will try to learn what services people are using without consent or support from the company. Furthermore, the cybersecurity manager should strive to monitor any external exposure from all external services, supported or unsupported. Otherwise, they will be in the dark about the related risk.
Identifying external services and products is not always easy because many functions once assumed to be internal are now externalised. In the year 2000, for instance, it was common for every company to have their own server room or data centre. Not so much anymore. More than half of those installations have moved to external service providers or the cloud. Some services are now routinely outsourced to vendors, like IT support, front desk reception, and help desk services. Many companies don’t even own their own laptops any more, but lease them from a supplier instead. All of these services require policies. We predict this trend will continue into the foreseeable future.
Simplicity Is the cybersecurity manager’s Friend
Given how important policies are, it’s understandable that many companies go overboard. We know of a critically important central agency of a government in the Middle East that paid $20 million in consulting fees to create a policy manual and security management structure for the company. In other words, they spent $20 million for paperwork. That’s a big overshoot.
When we came in, they asked us to help solve a problem created by all that paperwork—how to implement all those policies in all their complexity. We were a bit cautious in our first few interviews with them. We told them, “If you want us to help you implement these policies, we will need a copy of each.” We left with a load of documents to read through. When we made a list of them all, it totalled 1,200 pages. (It was detailed enough to include requirements about how to use the door in the server room and which direction every door should open.) 1,200 pages of written policies!