Don't know about where you work, but in most places policy is a four-letter word. Management, especially, tends to bristle at the notion. "That's not the way we do things around here," they'll say. Or, "We don't need a policy. We've got bright people who will automatically want to do the right thing." Or how about, "I hired you to influence and to lead. If you have to rely on a piece of paper to get things done, maybe I've hired the wrong guy."
Nevertheless, I'm someone who's bullish on security policy for, I think, all the right reasons. Because, for one, it frames our work as CSOs. And because it also provides a hook to the resources we CSOs require. I've worked long and hard over the years to develop a solid security policy at my organization, and I've had some luck getting senior management buy-in.
I even gave a presentation on security policy at a security conference a year or so ago. As I prepared my pitch, I couldn't help but wonder what the sponsors were hoping for. I mean, it was about boring, bureaucratic B.S. (and that's not a college degree, by the way).
Well, as it turned out, it topped the hit parade in the participant evaluations, and I still get requests for copies of the presentation today. I'm quite sure that it wasn't my phenomenal charisma that made such an impression, so I've circled back more than a few times to learn why people care about policy.
One CSO in particular was interested in learning how I had approached the enforcement part of policy. And as I started to dig in to what I thought was familiar land, I hit a rock. While it's easy to spout off about the way things ought to work, it's another thing altogether to try to tell someone how to enforce the rules. Policy policing, it turns out, is not as easy as it sounds.
Many chief information officers and others at the top pay only lip service to supporting infosec policies. Nimda
"Hmmm," says the CEO, finally. "If we have a policy on this, maybe we need to be more forceful in enforcing it."
Eureka. History LessonMy dictionary defines policy as "a plan or course of action as of a government, political party or business designed to influence and determine decisions, actions and other matters." Now, believe me, I'm all about influence. But determining decisions and actions? That's another matter. In fact, it's one hell of a stretch.
Think about the evolution of corporate security policy. Several decades ago, it was pretty straightforward, although it wasn't very visible from a business process perspective. We had the basic framework aimed primarily at managing a baseline security program such as physical access, notification protocols, safety and perhaps some directives that emerged from an incident or event of note.
And then Al Gore invented the Internet. Do you suppose he had imagined the potential for doing business on such a highway? Did any of us imagine how insecure it would be? How about we put this incredible facility on our desktops? Who would've thunk some idiot would send uninvited trash to colleagues? It's clear that we most certainly need some business rules and other safeguards around this channel.
The past dozen or so years have been manna from heaven for policy partisans everywhere, what with the (continuing) influence of the lawyers and insurance carriers and employment laws. There was an explosive integration of technology in core business processes and the resulting risks to intellectual property and business continuity. Add to that the Corporate Sentencing Guidelines, a plethora of industry-specific regulations, privacy, the Patriot Act, Sarbanes-Oxley, anthrax, Sars, terrorism threats....
We've got to have an envelope of policies and procedures with all that potential for disaster, don't we? You bet.Details, DetailsThere are four parts to governance from my perspective:
- Identifying and communicating risk
What's the problem?
- Creating an accepted policy and guidance infrastructure
What do we expect accountable parties to do?
- Developing processes to monitor conformance with policy
How do we know we are successful?
- Preparing, when the controls fail, response capabilities
If it hits the fan, who will do what to mitigate it?
Assessing compliance is not the problem. Not surprising, policy compliance in the information security realm is automated. A number of products can be deployed to monitor and report on rule infractions. Both logical and physical access and intrusion detection are highly sophisticated and online. A variety of business process anomalies are identified with smart-transaction monitoring. Internal and external audits will assess and confirm compliance, and our investigations will reveal where policies were not followed. In short, a huge portion of the policy landscape is
So here we are with a comprehensive set of governance and asset protection policies and options for measuring compliance. But what about enforcement and sanctions? The devil, of course, is in the details.
Policies set expectations and assign accountability. They establish a legal framework, spelling out what is and isn't permitted. They define how management will govern. They provide direction to our security strategy and architecture. But when do you stop selling and start punishing? And who authorizes you to do so?
Which brings us to the first of five lessons for my CSO friends.
Lesson One. The enforcement of policy should be directly connected to the consequences of inaction. In other words, you need to create consequences for not actively following the company's policy. You need to punish the yahoos who don't follow the rules.
Lesson Two. Unattended risk is unacceptable. The concept of corporate governance is morphing. Events have moved insurers, shareholders, regulators, legislators and directors to a much lower tolerance for risk-taking
Lesson Three. An uncommunicated policy does not exist. The more that policies are clearly tied to well-communicated, higher likelihood risks, the more our constituents will understand and comply. Are you surprised that a policy on testing business continuity plans or building evacuations might have sold shortly after 9/11 to the same people who put up a fight when we called an annual drill a few months prior?
Lesson Four. The masses know when policies are hollow or inequitably enforced. It's the idea of enforcement that causes the kinds of reactions we often get from our customers. With pressure from insurers, regulators and boards, frequency of cyberattacks and a raised bar on risk management, I think we're beyond having to justify an inventory of security policies. The rub is around what you intend to do about noncompliance. That is where your success at selling the policy to top management and then communicating expectations to employees is key to effectiveness.
Lesson Five. Do your homework and frame the business case for a policy. Isn't it amazing that when we catch an hourly employee doing something wrong we have to hold management back from sending him to the gallows? But what happens when it's one of their own? "Do you realize how valuable this guy is?" they'll ask incredulously.
I've had more than my share of time in the hot seat on issues such as that, and my best ally has always been our employment law counsel. (I've not had the same luck with HR types.) The lawyers know that uneven application of sanctions is an invitation to a lawsuit. General counsel should be in the loop on all policies that carry the potential for employee sanctions. You should be playing out "what if" scenarios and driving mutual stakes in the ground on how infractions will be pursued
Meaningful sanctions are at work when someone at the accountable management level (on his watch) gets his bonus croaked or gets fired. I heard a story about one executive who was so careless with his laptop that, two weeks after his first one was stolen, his replacement was also taken. Both had highly proprietary data on them. He was sacked. You better believe that message was not lost on the survivors.
So let it be written. So let it be done.