Can you name anything (in our society) that is not driven (at least in part) by emotion. Our perception of events (and how they might help or harm us) drives our emotional reactions. Oil prices drop, and the market plunges 200 points in one day. The Fed raises interest rates one basis point and the market reacts. It almost seems like a self-fulfilling prophecy.
We want to use our robust emotional brain to our advantage not our disadvantage. The midst of battle is not when we should decide how we are going to react. Written policies and procedures help us leverage our emotions while responding in a parallel manner towards a common goal.
Implementing sound policies and procedures will help your organization in the following ways.
1. Policies are the first manifestations of our prevention efforts.
Due care and due diligence are the two buzzwords tossed around post-breach. Often, a firm's lack of due care and due diligence are used to determine liability. Of course, what constitutes due care and due diligence might vary widely from case to case, the SEC's recent ruling (in the case of RT Jones Capital) offers a little more clarity.
The SEC's decision in the Jones case sends a clear message. A successful post-breach response is not enough. Companies must have written policies and procedures on hand. Written policies and procedures demonstrate your organization's efforts to defend its cyberspace actively. From the outside looking (despite a proper post-breach response), their lack of defined policies and procedures demonstrated a dearth of due care and due diligence.
2. They provide a measure of consistency amid chaos.
The armed services continuously practice their various battle drills. Why? Because they want the execution of these exercises to become second nature. They don't want their people (on the front lines) thinking "what do I do now" or "what comes next". Their battle drills are equivalent to our policies and procedures. During the fog of a breach, they will allow us to act in a systematic manner to stop the bleeding and remove the threat.
Writing policies and procedures is not the sexy side of cyber security. Stop for a moment and think about CSI Cyber, Mr. Robot, and any other fictional cyber security show. Can you remember the last time they talked about policies and procedures. Crafting policy and procedures are not the sexy sides of the industry. However, well crafted, well tested, and well-executed policies and procedures could very likely prevent your next monster.com moment and hundreds of thousands of dollars in fines.
3. They result in measurable and quantifiable metrics.
A great coach does not assume his defense can stop the offense. They test their policies and procedures (or in their case the defensive playbook) by subjecting their defense to the offense. Then and only then can the coach objectively assess the readiness of his defensive players. Practice allows him to see who is missing blocks, misreading the offense, and not executing their assigned tasks. A great coach will take this information and use it to make the team better.
[ ALSO ON CSO: Security policy samples, templates and tools ]
The 20 Critical Security Controls is a great place for your organization to start. These controls offer prioritized and systematic guidance that your security teams can use to begin defining policies and procedures. If implemented properly, they also result in metrics that allow you to objectively assess the effectiveness of your policies and procedures.
4. They facilitate focus on the task at hand.
The worst time to worry about what to do is in the heat of battle. When you get that call or alert at 0315 (while you're on vacation across the country), you don't have the luxury of time. Immediate steps must be taken to stop the bleeding, contain the breach, and ultimately restore normal operations. Written policies and procedures allow people to systematically work their way towards these goals. They significantly reduce a foreboding sense of overwhelm by focusing the team on the task at hand.
The writing on the wall is clear. Your companies liability depends upon more than just its ability to respond. Recent events suggest you will be held liable based on your preventative measures as well.
This article is published as part of the IDG Contributor Network. Want to Join?