Lately, we've been running into cyber security programs and information security programs (ISP) that are elaborate, lengthy, complex, and written with a technical person in mind. The structure of these programs covers every conceivable event and idea that the organization could run into. While most would say that is a good thing, I'd say that there's a big difference between what is on paper and what is in practice. If policy and process don't lead to action on the part of users and employees, then the ISP will be ineffective.
Unfortunately, when the ISP is too complex for the organization, front line users are left holding the bag. Complicated policies leave people confused on what is expected of them. Impractical processes, while they look good on paper, require too much time or expertise on the part of the employee to be feasible. Either situation results in holes in the cyber security of the organization. Policies and processes have to be designed with people in mind.
Some ideas on this came to mind when recently reading Peter Drucker's book, "The Effective Executive". Drucker was a 20th-century thought leader in business management. This book focuses on decision making, process implementation, and leading information workers; all three being essential for a Chief Information Security Officer (CISO) to implement a successful cyber security program.
Practical Policies
The first step in creating a feasible program is to create practical policies. When you hear examiners say: "commensurate with the size and complexity of the organization...", this is what they mean. The best policies that I see are not wordy, eloquent, or cute. They are clear and simple.
Drucker talks about this in "The Effective Executive", when he quotes an old English proverb: "A country of many laws is a country of incompetent lawyers...". He goes on to explain that when in doubt, ineffective and lazy decision makers err on the side of "more is better". Drucker describes a solution that can be summarized as looking for patterns and generic situations, then adapting for specifics.
"A country of many laws is a country of incompetent lawyers..."
Some examples applicable to an information security program for a CISO would be to avoid addressing specific technologies, utilize standards and procedures, use bullet points, and remember that less is better.
Practical Processes
The second part is where the rubber meets the road. No policy is worth anything until it becomes a process. Drucker points out that until it is assigned to someone, with a clear plan for carrying it out, they are only good intentions.
The challenge with this is making the process feasible people involved and aligned with other business processes. Even with clear and simple policies, we see failure in execution of actually putting those ideas in place.
Some common mistakes when implementing cyber security processes:
- Only considering the technical aspects, forgetting the people
- Not giving enough training and explanation on "why" this is important
- Lack of ability to see the whole picture from a systems perspective
- Overly complex solutions
Some things to consider when implementing cyber security processes:
- Technical level of the staff this is being assigned to
- Time constraints and workload issues
- Effects on other business processes
- Is it sustainable
"Policies, without action, are only good intentions."
Conclusion
Getting practical action in place can be the hardest part of managing a cyber security program. Finding the appropriate level isn't easy, and that's where many CISOs and outside consultants struggle. Making this a priority is crucial to getting everyone on board with keeping information safe and should be a priority in every organization.
We've been helping out clients implement feasible solutions for several years now, and it is a core element of our approach. If you'd like to know more or to see if we can help you, email us at support@bedelsecurity.com.