Wednesday, April 7, 2021

Policy -- What must it do?

I recently received a link to the electronic annual report of a company from which I receive service and in which I have a small investment.  I was pleased that it contained a button labeled "Cybersecurity Policy."  Needless to say, I clicked on this button.  This is what it said:

"We go to great lengths to protect our computer systems and equipment from the threat of a cyberattack. Our comprehensive network is designed to protect us from both internal and external threats. We’ve expanded our use of next-generation intrusion detection and prevention tools to further protect our customers’ personal information. And we’re regularly training our employees to stay aware of potential cyber threats."

I confess to having been more than a little disappointed.  This is more a statement of good intentions and practices than a policy.  None of my expectations of a "policy" were met.  

As both a practitioner of security and a customer of, and investor in, the enterprise, I would expect a policy, at a minimum, to: 

  • require that managers protect the assets that they control.   
  • express the organizations tolerance for risk or
  • some measure of the level of security to be achieved, and
  • require measurement and reporting of results, i.e, achievements and failures
  • other
Said another way, I would expect a policy to communicate to managers and employees what general management wants them to do and how much to spend doing it.  This statement, labeled "policy," fails to do that.  

The first and fourth bullets may be difficult to execute, while the second and third are difficult to express.  Such expression should ensure:

  • a consistent level of effective and efficient security across the enterprise,
  • that precious resources get appropriate protection, 
  • while expensive measures are reserved only for those assets that require them.
These results cannot be achieved without direction from general management.  Such direction is called "policy."  Policy is an important and useful tool for management and leadership.  

Note that management's tolerance for cybersecurity will differ by industry, application, and maturity of the business.  A "startup" may have a very high tolerance for cyber risk, in part because their business risk is high.  A mature company in a sensitive industry, such as finance, transportation, or energy, might be far less tolerant.