Susan sits down with Nick McCourt, Lead vCISO at Integris, to discuss all things cybersecurity policy: what they are, why they’re important, and what businesses often miss when they create them (if they create them at all).
See our article, as mentioned in the episode, for more info on policies.
Susan Gosselin: Hi, everybody. Welcome to the Helpdesk. I’m Susan Gosselin with Integris marketing here today with Nick McCourt, our head honcho on our CISO front at Integris.
And we have another fantastic cybersecurity podcast for you today now. Before I get into the subject. I just wanna say, I know a lot of you are gonna hear it and you’re gonna go, oh, no, because we’re talking about cybersecurity policies, right? Not exactly scintillating subject material, but I’m here to tell you it really can be the difference between having a smart, well run, well planned for, well secured cybersecurity policy and not.
And Nick is here today to set y’all straight. Okay.
What is a cybersecurity policy?
Susan Gosselin: So first of all, let’s get into exactly what a cybersecurity policy is. Because I think it can be easy to get it confused with cybersecurity insurance, which is a totally different thing. Nick just give us the baseline of what you all consider a cybersecurity policy to be.
Nick McCourt: A cybersecurity policy is a living document that essentially says this is what your organization is going to do about a specific subject.
Susan Gosselin: Okay. So it’s having all your rules, regulations, and procedures just written down. So everybody knows what they are, right.
Nick McCourt: Yeah, it also, it separates too, cuz a lot of organizations will put all of their plans and procedures into the same document.
If we are talking about a cybersecurity policy, it is just a declaration of intent of what you’re going to do after that. And it will call to other specific procedures and other specific plan.
Susan Gosselin: Okay, so full disclosure y’all. Nick and I were having a long conversation about cybersecurity policies here, right before we published his last blog on the subject.
And he was showing me a list of the cybersecurity policies that he puts together for a typical client. And I was completely floored at how many there were, and each one of them could be one page or several pages, but there were like, how many of those, like for the average client Nick?
Nick McCourt: The average number of accurate policies for a client is somewhere around 50 to 60.
Susan Gosselin: And each one of those can be one page or several pages depending on what it is, right? All right. So that’s a lot of stuff. A lot of stuff to even contemplate talking about. So let’s maybe just start off by dividing these into two groups.
So the way I understand it is there are two different kinds of cybersecurity policies that companies have, the people policies and the management policies. Can you explain that a little bit?
Nick McCourt: Sure. That’s one of the easiest ways that we use to separate out for an organization. People policies quite simply are the policies that may correlate with what Human Resources is doing.
They may correlate with several other different departments, but they are the policies that every single employee probably needs to read, understand, and acknowledge.
Susan Gosselin: All right. So let’s talk a little bit about what those are. Those are things like what, Bring Your Own Device policies, password authentication. What kind of things do those people policies cover?
Nick McCourt: They usually cover systems, computers, and data that employees normally touch. They also include things sometimes. And we have the ethics policy. Sometimes that gets called out. I get this question a lot. Why do you have an ethics policy in there?
If human resources hasn’t already placed it in there, then cybersecurity wants to make sure that it’s in there because your employees need to actually defend the organization by carrying themselves in a well intentioned manner, let’s put it that way.
Susan Gosselin: So something like that might include, say we expect you to use two factor authentication that we have provided to you. We expect you not to give people your password and let them play around on your company computer. We expect you to take the cybersecurity training that we have provided and to complete the tests and pass them. We expect you to be aware of phishing scams and things that could be coming at you. What other, what am I missing here?
Nick McCourt: Now you’re covering a very wide range right now. It usually includes all of those. Usually what these policies are usually centered around and it starts with a specific policy that the rest of them kind of flow from, but it’s acceptable use and, alphabetically, that’s usually up there at the top: acceptable use.
With how, how do you use things? What is the company okay with? What is the company not okay with? How do you conduct yourself with devices while working?
Susan Gosselin: Right. We have a previous podcast that we have done that talks a lot about social engineering. I highly recommend y’all listen to that.
It is really startling. The amount of things that your employees can get caught up in. So the benefit of having these people policies written down is that maybe they are part of the new hire training, maybe they’re in the employee handbook. And they’re just a set of expectations. For how people interact with their technology and all the different things they need to do to keep it safe, right?
Nick McCourt: Yes.
Susan Gosselin: Okay. All right.
Susan Gosselin: We got that settled. Let’s move on to the next one. And that is management policies, so let’s talk a little bit about those because I think that’s really where it gets considerably more complex. What are the sorts of things that management policies tend to cover?
Nick McCourt: Let’s start with one of the more awkward of the policies and that’s the acquisition assessment policy. A lot of organizations may not have a document that says that basically states, “Hey, as we grow, we may actually look at buying another organization. We may look at buying another company. And it’s good to have that policy essentially in your back pocket for, in the event, in the future of, “Hey, we’ve decided we’re gonna buy a company. We’re gonna integrate their systems.” So here is a short policy that essentially says, here’s what you need to follow. Here’s how you need to do it.
Other policies in management usually dictates very specific things like data classification or making sure that systems are configured with security baselines, that we’re hardening systems and how we’re configuring and managing those systems.
These are policies that essentially fall under what the management team, what the executive C level suite need to know. and what they need to be carried out by specific individuals in an organization, but do not necessarily need to be known, read and acknowledged by all of the employees.
Susan Gosselin: So, let’s say a management policy might be created around something like say disaster recovery, right?
So here are the cybersecurity steps that need to be taken in the event that we have a tornado that wipes out our server room. What do we do then? It’s something that people can go to. In case of emergency break glass kind of situation where everybody doesn’t know what’s going on and needs to be able to refer to something specific, right?
Nick McCourt: Yeah. It it’s basically having the instruction manual in case you need to do something to fix something.
I have a great example of, as a kid, my dad had a chainsaw and, he kept the manual. In fact, the manual is it was still carefully preserved in that plastic baggy that it came in with the tape. He never took it out. We lived in the woods, he is cutting logs and, we’ve got trees that, that need to be fell from time to time after big weather events. So one day he popped the chain off. But instead of going back and reviewing that he just took the thing apart and managed to install the chain backwards, which is tough to do. But there’s an older one where you can turn the chain around.
And so he put it on backwards and, he burned out the chainsaw so he had to go get a new one. This, for cybersecurity, you wanna have that manual, but hey, this is, these are living documents, right? These are documents that need to be reviewed at least on an annual basis. Something like a disaster recovery policy, that needs to be reviewed. Similar to that, an incident management policy that correlates with several other types of documents, for example, like an incident management plan.
Plans and policies should not mix outside of calling to each other. So you shouldn’t have, here’s our single document. This is our Incident Response policy. The plan is underneath. We put it in a summary. Your plan, your Incident Response policy might be somewhere between five to seven pages.
Your incident management plan is that full manual of everything that needs to be done. So on average, those are somewhere around 50 to 60 pages long. That could be longer. It depends on the size of the organization and all the different divisions, all the different individuals that need to be.
Susan Gosselin: It sounds terribly complicated.
And it’s the sort of thing that tends to scare a lot of organizations, especially those, smaller and mid-sized companies that maybe never have bothered to put any of this stuff down before, right? It can be terrifying. But. I will take this opportunity to make a shameless plug for Integris.
And that is if you come to work with us and get our CISO services you can take advantage of all the things that we’ve done in the past. We have a lot of stuff that’s locked and loaded and can just be revised to work to your situation, right?
Nick McCourt: Yeah. I think the biggest emphasis is we work with different industries.
And it’s tough for, if you’re in an organization or you’re in an industry that has specific requirements and regulations, those do change on a regular basis and small, medium businesses now more than ever. They’re being held at the same level as these big, massive enterprises, because there’s a window into them.
It’s not like they’re not successful organizations. There are smaller organizations that are very successful. They don’t always necessarily need to scale up as much. But they do need to protect their data and they do have a lot of connections to other organizations.
And so it’s very important to understand what your regulations are, adhere your policies to the framework that you’re following. That is something that we’ve gotten used to doing. And honestly we do pretty well.
Susan Gosselin: So let’s dig into that just a little bit. When it comes to how big you are before you need to have this stuff written down the answer is, that really does depend on the complexity of your industry.
How you’re regulated and who you’re connected to and the type of data you’re managing. So all the people out there that think, “we’re not big enough to really mess with that.” I would beg to differ. You really need to take a hard look.
Consequences of not having policies in place
Susan Gosselin: So let’s talk a little bit about consequences of not having the proper policies in place because it can be easy when you’re just going along and doing your thing and growing your business to think, oh, what’s the worst that can happen. But you can really get yourself in a mess on two fronts and that’s with cybersecurity insurers and regulators, and also potential new clients. So why don’t you talk a little bit about that, about the sorts of things that are happening to companies that find themselves on their back foot?
Nick McCourt: Yeah. I think a lot of organizations, a lot of companies don’t seem to understand that an IT security policy may make the difference between having new business and going out of business.
If you’re continuously updating all of your policies, then an auditor or some sort of regulator, a third party assessment… when they come in to either certify your organization or when a potential or prospective business opportunity arises, they’re asking for these things. That they want to know if you have these policies, they wanna know if you follow them by the way. So it’s kind of, we’ll throw that in there before we go any further. And that is quite simply, you can have a policy, but if you don’t follow the policy that’s gonna cause some issues too. But, we can cover a little bit more of that later.
What’s most important though, is, we have organizations that if they continuously maintain a security profile, if they continue to work on, and established nationally or internationally recognized framework and tailor it to their needs. Have somebody to kinda lead the charge with that. Then what it does is it actually opens up new business opportunities and it helps them maintain their current business opportunities.
And sure, cyber liability insurance is part of it. That changed as of the beginning of 2022. Okay. Questionnaires that we had never seen before started just flooding different industries. Back to what you had said, size does not matter for the organization. The industry matters. You can have an organization that has 20 employees and you have an organization that has 10,000 employees.
They may need the same number of policies if they’re in the same industry in order to continue to stay ahead.
Susan Gosselin: Right. Right. So let’s talk about that in practical terms. Okay. So let’s say you’re running a small manufacturing company, but you’ve got this fantastic opportunity to work with the Department of Defense.
The Department of Defense comes in and they say, oh, are you guys CMMC certified? Or, are you let’s see your cybersecurity policies as proof of what your procedures are. You have to be able to provide that in writing, to them, for them to view. All of a sudden you’re in the situation where you’re having to produce literally hundreds of documents, knowing not a single thing about what you’re doing or whether they’re actually matching up to what you’ve actually got.
You’re totally on your back foot. Chances are good, you’re not gonna make that RFP.
Susan Gosselin: So the consequences are real and let’s get a little bit into, what kinds of things you’re starting to see in 2022 in terms of cybersecurity insurance questionnaires and what they’re asking that’s different.
Nick McCourt: Sure. As, as far as insurance questionnaires, it’s no longer a suggestion. ” Hey, we would suggest that you have antivirus installed. If you have it, could you tell us what it is? If you don’t that’s okay.” Now it’s, “what is your antivirus? What is the name of the antivirus?” In some cases and we’ve dealt with this recently, insurance providers will go look up a list.
They’ll look at the top 10 or the top 20 managed endpoint detection response. And maybe the product you’re using is not on there. They don’t care. They wanna know if you have a product. Early forms, we actually had to fight with a few of ’em and say no, you need to provide the other section.
You can’t just say you can only have these 10 things installed. In the meantime, however, it’s, again, not a suggestion. You need to have managed endpoint detection response. You need to have phishing simulation and security awareness training. How often do you do it? You need to have vulnerability management and originally vulnerability management was, do you do it once a year?
Do you do it? Once every six months now, it’s do you have continuous scanning? Do you have monthly scanning? Do you have quarterly scanning? There are no options for every six months. There’s no options for once a year. The quarterly scanning will probably drop off sometime in the near future. Your options will be, do you scan once a month or do you have continuous scanning vulnerability management?
If you don’t have those things, interesting enough, they will not provide you with an insurance policy. They say, sorry, we’ll try to send you somewhere else. We hear that a lot. We’ll have to send you somewhere else. What we also see is that they hire third party companies to come in and scan all your publicly facing systems.
So if you have a website or firewall that you are managing directly, they’ll scan it. And that will actually go to the underwriters for your insurance policy to determine whether or not, you can continue paying the same amount or whether or not you have to pay an extra 40,000 a year. Versus what you were paying.
And these aren’t small numbers. Maybe you’re not getting insurance, or maybe you are going to be paying 40, 50, 60,000 extra from what you’re already doing, just to maintain some sort of insurance policy. And keep in mind if, back to your mention, hey, if you’re trying to get a contract DOD.
You probably have to have cyber liability insurance in order to maintain some sort of contract. You need to have proof that, hey, if something bad happens that you can recover. And that’s what insurance is for a lot of these organizations. Keep in mind. CMMC, we can talk about CMMC since you brought that up. This has come into fruition this year.
There are other possibilities now that the DOD is looking into, but CMMC compliance being, CMMC certified. You have to go in and submit for yourself first and have a self assessment that you’re actually passing. And they asked for information on that. And if you can’t provide that, then it’s not gonna help.
Susan Gosselin: So bottom line is here. It’s not enough just to have the tools. It’s not even enough just to have the processes. You have to have the plan that puts the umbrella over all of these things makes come up all nice, neat, and pretty. When anybody asks you, you can say, here you go, right?
Typical/average policies for businesses, back filling
Susan Gosselin: So what are the policies that you find yourself back filling a lot for clients like, oh okay, they got this, but boy, they don’t have this. They don’t have that. We better fix that.
Nick McCourt: The average number of policies that I normally see for small and medium size companies that say no, no, no, no. We have security policies. The average number I see is about 12. They have 12 policies total. So they’ll have two to three kind of employee facing policies. Sometimes they’ll have a single policy that has a couple of line statements. Instead of having an acceptable encryption policy, you’ll have a paragraph underneath your information security policy that says we’re gonna encrypt devices.
That’s fine. How are you gonna do that? And interest enough, that’s one of the first policies I usually end up having to back fill. You need to have an acceptable encryption policy separate, and here’s why. You need to state how you’re encrypting your devices. Are you, you know, you were encrypting them at rest?
We also need to specify that we’re encrypting data in transit. Make sure that just because your hard drive is encrypted, when it’s turned off. What if you email something, how are you emailing? Are you emailing it encrypted or are you just throwing it out there into the world and hoping that it makes it to the place that you’re sending it to?
And that’s the kind of thing that we usually start with and trust enough, because most organizations may not know that there are already encrypting things, but when a client or customer of theirs comes in and they send their auditor and they say, “All right. We wanna see your acceptable encrypt.”
“Okay, here’s our information security policy.”
The auditor comes back and goes, “Yeah, I say that you make a mention, but I want the separated policy. I want to see your acceptable encryption policy. Are you doing it using AES encryption? Which cryptographic models are you using?” That sort of thing.
And so we often start there, make sure that. Have that and interesting enough, the auditor’s always asking, cause acceptable A, right? It’s alphabetical. A. Do you have acceptable encryption? And so that’s where we usually start.
Susan Gosselin: Oh, wow. Yeah. I have a feeling if we actually started going down the list of every single thing that companies tend to miss, we might be here all afternoon.
Nick McCourt: Three to four hours at least.
Susan Gosselin: Yeah. Yeah. We probably shouldn’t dig too deep on this one. I’m gonna put my shovel down. So all right. I have asked all of the questions that I wanted to ask on the matter of policy.
Policies are living documents
Susan Gosselin: So I’m wondering if you have anything that you feel that we missed or any parting thoughts for our dear listeners out there today.
Nick McCourt: Again, I just wanna recap policies are living documents. IT security policies are just the beginning. You start with those, and that allows you to also have procedures and plans. But the most important thing I want to say is that everybody wants to buy the car, cuz a new car is shiny.
But what we often forget about, or when we’re telling the story of how we got a new car. We usually skip over the fact that we sat at the dealership, filling out documents so that we have documents that show why we have the car and who owns the car, right? That’s the same thing for IT security policies.
They’re not as shiny as having a brand new state of the art antivirus or having great managed endpoint detection response, or having a great vulnerability management program. But at the end of the day, you have to have a policy that says that you’re gonna do it because if you want to continue to grow your business. They’re happy that you have those other things, but if you don’t have a document saying that you’re going to do this and why you’re gonna do this, then they automatically assume that you technically don’t own that process.
Just if you don’t have a document that says you own a car, maybe you don’t own the car. So that’s the most important part that I’d like to say about how important IT security policies are.
Susan Gosselin: Oh, Nick. He always managed to have the best metaphors for things, right? You know, wrapping that thing right up with a metaphor.
So there you have it. Folks, cybersecurity policies are just like signing your paperwork at the car dealership. Not very sexy but necessary. Okay. So with that, then I am going to wrap up this episode and also point in the show notes to our blog on this subject, which will definitely take you point through point about what we were just talking about.
And also, don’t hesitate to go to our blog section on the Integris website and let your fingers do the searching because we have lots and lots of information about things like HIPAA and cybersecurity policies and all of the ancillary things that we were talking about today.
But until next month, you’ll just have to wait for our next pearls of wisdom. That’s it for me. And that’s it for Nick. We’ll see you next month at The Helpdesk.