“Don’t think about winning the SEC Championship. Don’t think about the national championship. Think about what you needed to do in this drill, on this play, in this moment. That’s the process: Let’s think about what we can do today, the task at hand.” -Coach Nick Saban Can you name anything (in our society) that is not driven (at least in part) by emotion. Our perception of events (and how they might help or harm us) drives our emotional reactions. Oil prices drop, and the market plunges 200 points in one day. The Fed raises interest rates one basis point and the market reacts. It almost seems like a self-fulfilling prophecy.We want to use our robust emotional brain to our advantage not our disadvantage. The midst of battle is not when we should decide how we are going to react. Written policies and procedures help us leverage our emotions while responding in a parallel manner towards a common goal.Implementing sound policies and procedures will help your organization in the following ways.1. Policies are the first manifestations of our prevention efforts. Due care and due diligence are the two buzzwords tossed around post-breach. Often, a firm’s lack of due care and due diligence are used to determine liability. Of course, what constitutes due care and due diligence might vary widely from case to case, the SEC’s recent ruling (in the case of RT Jones Capital) offers a little more clarity.The SEC’s decision in the Jones case sends a clear message. A successful post-breach response is not enough. Companies must have written policies and procedures on hand. Written policies and procedures demonstrate your organization’s efforts to defend its cyberspace actively. From the outside looking (despite a proper post-breach response), their lack of defined policies and procedures demonstrated a dearth of due care and due diligence. 2. They provide a measure of consistency amid chaos.The armed services continuously practice their various battle drills. Why? Because they want the execution of these exercises to become second nature. They don’t want their people (on the front lines) thinking “what do I do now” or “what comes next”. Their battle drills are equivalent to our policies and procedures. During the fog of a breach, they will allow us to act in a systematic manner to stop the bleeding and remove the threat.Writing policies and procedures is not the sexy side of cyber security. Stop for a moment and think about CSI Cyber, Mr. Robot, and any other fictional cyber security show. Can you remember the last time they talked about policies and procedures. Crafting policy and procedures are not the sexy sides of the industry. However, well crafted, well tested, and well-executed policies and procedures could very likely prevent your next monster.com moment and hundreds of thousands of dollars in fines.3. They result in measurable and quantifiable metrics.A great coach does not assume his defense can stop the offense. They test their policies and procedures (or in their case the defensive playbook) by subjecting their defense to the offense. Then and only then can the coach objectively assess the readiness of his defensive players. Practice allows him to see who is missing blocks, misreading the offense, and not executing their assigned tasks. A great coach will take this information and use it to make the team better.[ ALSO ON CSO: Security policy samples, templates and tools ] The 20 Critical Security Controls is a great place for your organization to start. These controls offer prioritized and systematic guidance that your security teams can use to begin defining policies and procedures. If implemented properly, they also result in metrics that allow you to objectively assess the effectiveness of your policies and procedures.4. They facilitate focus on the task at hand.The worst time to worry about what to do is in the heat of battle. When you get that call or alert at 0315 (while you’re on vacation across the country), you don’t have the luxury of time. Immediate steps must be taken to stop the bleeding, contain the breach, and ultimately restore normal operations. Written policies and procedures allow people to systematically work their way towards these goals. They significantly reduce a foreboding sense of overwhelm by focusing the team on the task at hand.The writing on the wall is clear. Your companies liability depends upon more than just its ability to respond. Recent events suggest you will be held liable based on your preventative measures as well. Related content opinion Baby steps: building a cybersecurity strategy Building a cyber strategy can be overwhelming unless you start with large goals broken down into smaller milestones. By Thomas Trent Aug 07, 2018 5 mins IT Strategy Data and Information Security IT Leadership opinion Why we continue to fail: lessons learned from the Atlanta Airport fiasco Five basic failures happened that make the Atlanta airport a softer target for future attack. By Thomas Trent Jan 02, 2018 5 mins Technology Industry Cyberattacks Disaster Recovery opinion Cybersecurity has a huge skills gap! Will you be part of the problem or the solution? ISC(2) Estimates a global cyber security workforce shortage of 1.5 million jobs over the next five years. By Thomas Trent Jun 26, 2017 4 mins Data Breach IT Jobs IT Skills opinion Why you can’t afford not to train veterans in cyber security According to the Wall Street Journal, only 66.7 percent of jobseekers responded to cyber security job postings on Indeed.com between July and September of last year. By Thomas Trent Apr 17, 2017 3 mins CSO and CISO Internet Security Careers Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe