It’s one of those truisms of life: if you get all your chores done, you get to go out and play.
Cybersecurity policies are a lot like that. They are the structures you must have before your systems can run as they should.
Look, I get it. Considering that most companies need dozens of individual cybersecurity policies, you may feel like they’re a lot of work and unnecessary expense at first. But cybersecurity policies truly are the ultimate investment. Any work you do on them will save you double the time and cost later. There’s no question—they’ll keep your company safer and ensure your cybersecurity tools work better, too.
So why are so many companies missing opportunities on the policy front? I think it’s because they don’t know how to put their cybersecurity policies to work for them. Let’s dig into what that means.
What is a Cybersecurity Policy?
Put simply, a cybersecurity policy is a declaration of intent to protect a company’s data or the data sources owned by the company. Cybersecurity policies also cover your physical plant—your network, hardware, and mobile devices since they carry that data.
How Many Types of Cybersecurity Policies Are There?
A lot.
Not to be glib here, but it’s true. Here at Integris, it is not uncommon for us to generate between 20 and 50 individual policy documents for our clients. We generally base these policies on the NIST Framework, a standard recommended by the National Institutes for Standards and Technology.
There could be more, however, depending on your industry. If your company is in the legal, manufacturing, or healthcare sectors, regulators will ask to see your cybersecurity policies. Be sure your policies align with your regulatory burdens.
All this documentation can seem intimidating, at first. But no matter your industry, your policies only fall into two specific subgroups. People policies and management policies. Let’s break that down.
People policies
People policies involve your employees/vendors/users as individuals. How should they safely navigate your systems? What security rules do they have to follow? How are their devices secured?
These questions sound simple, but I assure you, they are not. Each requires its own protocol, in addition to policies for many other functions, including:
- Encryption—when and where it’s needed
- Acceptable use of company devices
- Backup and recovery for individuals
- Clean desk policy
- Cloud computing security
- Data retention
- Ethics
- Information and media disposal policies, when employees leave or change devices
- Mobile computing security
- Password construction guidelines
- Bring-your-own-device policies
- Personal security management
- Remote working security
- Security awareness and training requirements
That covers a lot. But it only covers what needs to be done on an individual level. “Management Policies,” which we’ll talk about next, are policies that outline how the organization handles security on the macro level.
Management Policies
Your management policies for cybersecurity should center around one thing: governance. Management policies outline the cybersecurity plans and procedures for your company’s network and administrative levels.
In a well-prepared organization, each one of these topics will generally have its own separate, written policy:
- Access control
- Acquisition assessment
- Audit and compliance
- Business continuity and continuity of operations
- Change management
- Data breach response
- Data destruction
- Data encryption & database credentials
- Hardware and software review
- Information logging standards
- Information security organization policy
- Information storage and retention
- IT risk management
- Malicious software management
- Mass media management
- Minimum access policy
- Password sharing statement
- Physical security
- Remote access policy, security, and tools
- Router and switch security
- Security incident response
- Server security
- Software installation
- System configuration management
- Technology equipment disposal policy
- Third-party security
- Wireless communication standards
- Workstation security
- Security response
If it seems like an awful lot of things to be thinking about, it is. But fail to think about them at your peril. Every company needs to make at least a rudimentary pass at these issues if they want to secure their systems. Some will need these policies more, and some less.
Nevertheless, every company will need a cybersecurity policy framework customized to their circumstances. And that customization process is usually where the mistakes come into play. Here’s where I think cybersecurity programs most commonly run into trouble.
Putting Your Cybersecurity Policies to Work for You: The Three Ways Companies Fail the Test
For too many companies, their cybersecurity policy coverage is hit or miss. It’s not that they don’t have policies at all. They don’t have the right policies, for the right things, at the correct times. But that’s a little bit of a general explanation.
Let’s get more specific. Here are the three most common ways companies trip themselves up when making cybersecurity policies.
#1—“Cart Before the Horse” Thinking
When you want to get something done, most people make a plan and then act. For cybersecurity policies, the opposite is true. I know that sounds counter-intuitive but bear with me.
The best cybersecurity policies are those written around an existing framework for an existing business. In other words, you have the framework first, then write your policies around what you already have. Yes, you’ll have to add new procedures to cover gaps in your security. But the best plans start with understanding your systems before you begin.
How to fix it: Have a cybersecurity professional thoroughly assess and map your systems before you write your policies. Don’t try to shoe-horn an off-the-rack policy to fit your organization. Remember, customization is key to a good policy.
#2—Reactionary Policy Making
You can’t take the “we’ll fix that bridge when we get to it” approach with your cybersecurity policy. I can’t tell you how often we have prospective clients come through the door with a cybersecurity emergency. Usually, a customer has found policy deficiencies during an audit. Or conversely, they have a chance to get cyber risk insurance or bid for a transformative piece of new business, but they don’t have enough protection in place to qualify.
This is what I call reactionary policy making. Companies only purchase the right tools or write down their procedures under duress. When they do this, it leads to hurried and knee-jerk decisions around their cybersecurity operations. It leads to holes in your operations, poor investments, or worse, unforeseen circumstances that can cause confusion and hurt your productivity.
How to fix it: Don’t skip any steps. Cover all the cybersecurity policy steps recommended by NIST at a minimum. Do regular assessments, at least once a year, to keep up with any new protocols or security requirements for your industry. Include third-party risk assessments as well. Trust me. You’ll be glad you did.
#3—Failure to Scale for the Future
Some companies get their policies on the books, put them on the shelf, and call themselves done. They cover the bare minimum requirements. Then three years later, they’re surprised when their protocols don’t match up with what’s happening on the ground in their company.
They’ve failed to plan for the company’s growth or changes in their circumstances. Now they’re outclassed, fast. These policy gaps create critical holes in your security infrastructure. Planning for the future is vital.
How to fix it: Don’t do your cybersecurity planning in a vacuum. CISOs should speak to the C-Suite about the company’s aspirations for the next five years, at a minimum. How big could the company get? Will there be new offices? New remote workers? Will the company be adding on new customer interfaces or new systems? Will they be expanding their market into new industries with unique requirements? How will the company’s systems and tools change in the next few years?
These are just a few questions you should ask during your annual policy reviews. Consider updating your policies proactively to stay one step ahead of your needs. Your policy coverage will help you build your new systems safely. And who doesn’t want that?
Building Your Cybersecurity Policies: The Next Step
If you’ve got airtight cybersecurity policies already, I commend you. But if you’ve read all this and you’re a little concerned about the quality and scope of your cybersecurity procedures, try asking yourself these questions:
- Who is the keeper of our cybersecurity policies? Where do they reside, who keeps them, and do we have a solid protocol for updating them regularly?
- When was the last time we updated our cybersecurity policies?
- Could we produce our written policies quickly for a client or cyber insurer who wanted to see them?
- Do our cybersecurity policies dovetail with our disaster recovery policies? How would we maintain cybersecurity in case of a breach or service outage?
If you don’t like the answer to these questions, you haven’t put your policies to work for you yet. At Integris, we’d love to consult with you on your cybersecurity. If you’d like to dig deeper on the subject, you can check out some of our latest cybersecurity resources.
Learn More:
Cybersecurity policies podcast with Nick McCourt
Webinar: Mastering Cyber Insurance
More about Shields Up and the Government’s Ask for Business Cybersecurity