By Ben Kast   /   Mar 9th, 2021

5 Rules to Live by For Strong Cybersecurity Policy Development

At LMG Security we are often engaged to provide cybersecurity policy development services for organizations. We also review policies on a consistent basis when conducting various types of assessments for clients. We’ve identified trends in these types of engagements:

  • Compliance and regulatory gaps discovered through policy review
  • Gaps in policies discovered as part of a review of a maturing cybersecurity program
  • Organizations that require a particular level of policy maturity in order to conduct business in the marketplace

Of these three, the first and third trends often present the highest risks. Sometimes clients may even go so far as saying, “we would like for you to help us look better on paper.” When we hear this, we understand what they are getting at, however, we don’t like what we are hearing.

The goal of cybersecurity policy development should not be about appearances, and it certainly should never be used to mislead. These goals defeat the purpose of cybersecurity policy development; the goal should be to reduce risk, not increase it by having policies the organization has no intention of following. Now that we have covered what not to do, let’s look at cybersecurity policy development practices that will strengthen your security posture.

5 Rules to Live by For Strong Cybersecurity Policy Development

  1. Don’t mistake the map for the territory: Your cybersecurity policies do not represent the reality of what your organization is practicing unless you put in the required work to follow what they say. Your policies should not just be items that are required to be read annually and signed off on by employees in order to check a box. For policies to be effective, they must be a true and accurate reflection of your organization’s security controls, including the people and processes behind those controls. They therefore need to be based in reality and well-structured, factoring in different departments and organizational functions, not just IT/Security. This includes the need for buy-in from the top of the organization for governance as well as legal considerations.
  2. Don’t be aspirational: Avoid cybersecurity policy development based on how you want things to be, or on how you suspect they will be once you’ve accomplished long-term security related goals. Take them down to earth and write them based on what you can demonstrate consistently in the here and now. Find the right balance in terms of enough detail versus not too much detail; too much detail can make them obsolete if there are little changes, and you don’t want to state too much in writing if you’ll have difficulty consistently doing what is stated in the policy. To make things easier, include appropriate references and mappings to things that need to be tracked (whether regulatory references or framework and standard references).
  3. Don’t make them an afterthought: Make cybersecurity policy development and management an annual activity, and don’t wait to the last minute to work on them just to make a deadline. This will make it more difficult to follow the other four rules on this list. As part of this process, ensure all relevant stakeholders are included in the process and have appropriate time for meaningful input. Also, make sure the policies clearly state who is responsible for carrying things out (not just we’ll do them, but who will do them), including the key people responsible for their ongoing development and management. This will galvanize engagement and prompt stakeholders to integrate the policy requirements into day-to-day management.
  4. Take your cybersecurity policies seriously: Have mechanisms to keep track of versioning and periodic reviews and updates. The last thing you want is for your policies to rot on a network drive, only to be accessed when collecting them for a third-party assessment or auditor. They should be owned and treated as key governing documents for your organization. If you don’t manage them from that perspective, it will be hard to expect your employees to take them seriously. Lead by example and take them seriously. Expect the entire organization to do the same. They are an important component of developing and maintaining a security-minded culture.
  5. Architect them to be a living part of your organization: This rule is at the heart of the other four. The goal of cybersecurity policies, as stated earlier, is to reduce risk. They are not merely CYA measures. Work is required to build a secure organization, which doesn’t happen overnight. Rules are required and must be followed, and cybersecurity policies represent those rules. When done well, they reduce uncertainty, increase morale, strengthen organizations, and, yes, reduce risk. For this to happen, cybersecurity policies must become a living part of the organization that makes sense and are accepted by its participants.

By following these five rules, you can develop sound cybersecurity polices that provide appropriate cybersecurity guardrails for your organization and better allow you to successfully conduct business in a world of increasing security risk. There is always going to be inherent cybersecurity risk involved in conducting business. It is therefore incumbent on organizations to be good stewards of their sensitive data and systems.

All that said, I offer one more bonus consideration, which could also be considered the sixth rule: Don’t spin your wheels. Drafting security policies can be an arduous and time-consuming task. That is especially true if you have a number of stakeholders who will need to be involved in the process and if your policies are attempting to meet numerous requirements. If you get stuck along the way, don’t spin your wheels. Know when to get outside help in order to speed things along and to ensure your organization is following best practices. Contact us if you’d like help.

About the Author

Ben Kast

Ben Kast is a Senior Security Consultant at LMG Security. He has conducted penetration testing engagements for companies ranging in size from multi-billion dollar publicly traded companies to small and medium sized organizations. He has over 20 years of IT experience that includes software product development, project management, implementation and consulting. He has a degree from the University of Montana, and is a GIAC-certified penetration tester (GPEN).