The Breakdown in Effective Security Policy
One of the biggest causes of security breaches in business is a breakdown in the effective security “policy and strategy that is typically created through tiers of risk management” (Network World, 2015). This breakdown can be categorized into several root causes:
No effective security policy will ever be efficient without management buy-in. Executives must understand the impact that a “security breach will have on their system and business in a short-term view and a long-term view” (PR NewsWire, 2015). “With no central management support of security policy, employees will not take it seriously” (CSO Magazine Online, 2015). A lot of companies tend to see a bottom line and when they have a security team that does not provide directly towards that bottom line they are the first budget to get cut, as security is seen as a cost center vice a core business function.
Short term and long term vision for what the organization’s security goals must be disseminated in manner that effectively demonstrates the correct amount of importance to this goal and the impact a breach can have on this goal. “The vision is ‘why we are driving the car and where’” (Forbes, 2013). How do get to where we need to be and what will stop us from getting there? An effective vision isn’t just a start and a reachable end with points in-between that show the way, but the why we are doing it as well. If you tell two people each individually to do something without specifying the way in which it is to be accomplished the results can vary widely. Vision is not just the direction but also the why. Not only how to get there, but the reason we’re going there in the first place. An effective security policy is no different.
“Regardless of the organization’s actual cyber security policy, the understanding needs to be made that the cyber security policy aligns with your organization’s mission” (Truman National Security Project, 2015). This idea runs along the lines of the security functions must always align with the business function of the company and what its purpose is. A good example of an effective security policy is the “don’t put a 10 dollar lock on a 5 dollar bike.” Understanding the Average Rate of Occurrence (ARO) can go a long way in developing an economically sound approach to the mission. Have your security goals align with your business functions in a reasonable manner.
Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page