• United States




Why written policies are vital to your cyber strategy

Jan 20, 20164 mins
Backup and RecoveryBusiness ContinuityCSO and CISO

“Don’t think about winning the SEC Championship. Don’t think about the national championship. Think about what you needed to do in this drill, on this play, in this moment. That’s the process: Let’s think about what we can do today, the task at hand.” -Coach Nick Saban

Can you name anything (in our society) that is not driven (at least in part) by emotion. Our perception of events (and how they might help or harm us) drives our emotional reactions. Oil prices drop, and the market plunges 200 points in one day. The Fed raises interest rates one basis point and the market reacts. It almost seems like a self-fulfilling prophecy.

We want to use our robust emotional brain to our advantage not our disadvantage. The midst of battle is not when we should decide how we are going to react. Written policies and procedures help us leverage our emotions while responding in a parallel manner towards a common goal.

Implementing sound policies and procedures will help your organization in the following ways.

1. Policies are the first manifestations of our prevention efforts.

Due care and due diligence are the two buzzwords tossed around post-breach. Often, a firm’s lack of due care and due diligence are used to determine liability. Of course, what constitutes due care and due diligence might vary widely from case to case, the SEC’s recent ruling (in the case of RT Jones Capital) offers a little more clarity.

The SEC’s decision in the Jones case sends a clear message. A successful post-breach response is not enough. Companies must have written policies and procedures on hand. Written policies and procedures demonstrate your organization’s efforts to defend its cyberspace actively. From the outside looking (despite a proper post-breach response), their lack of defined policies and procedures demonstrated a dearth of due care and due diligence.

2. They provide a measure of consistency amid chaos.

The armed services continuously practice their various battle drills. Why? Because they want the execution of these exercises to become second nature. They don’t want their people (on the front lines) thinking “what do I do now” or “what comes next”. Their battle drills are equivalent to our policies and procedures. During the fog of a breach, they will allow us to act in a systematic manner to stop the bleeding and remove the threat.

Writing policies and procedures is not the sexy side of cyber security. Stop for a moment and think about CSI Cyber, Mr. Robot, and any other fictional cyber security show. Can you remember the last time they talked about policies and procedures. Crafting policy and procedures are not the sexy sides of the industry. However, well crafted, well tested, and well-executed policies and procedures could very likely prevent your next moment and hundreds of thousands of dollars in fines.

3. They result in measurable and quantifiable metrics.

A great coach does not assume his defense can stop the offense. They test their policies and procedures (or in their case the defensive playbook) by subjecting their defense to the offense. Then and only then can the coach objectively assess the readiness of his defensive players. Practice allows him to see who is missing blocks, misreading the offense, and not executing their assigned tasks. A great coach will take this information and use it to make the team better.

[ ALSO ON CSO: Security policy samples, templates and tools ]

The 20 Critical Security Controls is a great place for your organization to start. These controls offer prioritized and systematic guidance that your security teams can use to begin defining policies and procedures. If implemented properly, they also result in metrics that allow you to objectively assess the effectiveness of your policies and procedures.

4. They facilitate focus on the task at hand.

The worst time to worry about what to do is in the heat of battle. When you get that call or alert at 0315 (while you’re on vacation across the country), you don’t have the luxury of time. Immediate steps must be taken to stop the bleeding, contain the breach, and ultimately restore normal operations. Written policies and procedures allow people to systematically work their way towards these goals. They significantly reduce a foreboding sense of overwhelm by focusing the team on the task at hand.

The writing on the wall is clear. Your companies liability depends upon more than just its ability to respond. Recent events suggest you will be held liable based on your preventative measures as well.


TJ Trent is an expert in organizational compliance and governance for organizations in the cyber universe. His focus is on people, processes, and systems, which provides the foundation for understanding the true place of technology in the cyber world.

TJ works fiercely and passionately to prevent, detect, and eradicate cyber threats. ​During his 13 year career he has witnessed the information technology field burgeon into a powerhouse industry intertwined ​with the fabric of our lives. ​As the lines have blurred between technology and our lives, cyber security and cyber awareness are at the forefront of media attention. The last two years we have been inundated with breach after breach. From healthcare and banking violations to our most sensitive and private photographs. It seems like nothing is safe anymore.​

A super high achiever dedicated to learning and continually improving. TJ has been able to rise to the elite levels of success in his career. With over nine years of leadership experience, TJ has helped many organizations and individuals reach milestones within their careers. As a result, he is also uniquely suited to help you turbo charge your career within the information technology field.

TJ's credentials include a Bachelors of Science-Information Systems Security, Certified Information Systems Security Professional, GIAC Security Essentials (SANS 401), GIAC Certified Enterprise Defender (SANS 501), GIAC Certified Incident Handler (SANS 504), GIAC Certified Intrusion Analyst (SANS 503), GIAC Certified Forensic Examiner (SANS 408), GIAC Certified Critical Controls (SANS 566), and GIAC Certified Network Systems Auditor (AUD 507). TJ will complete his Masters of Business Administration-Technology Management in February 2016.

The opinions expressed in this blog are those of TJ Trent and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.