All companies need a customized security policy
When companies realize they need a security policy, it’s oftentimes prioritized as a new initiative. Depending on the drivers for the security policy and the time-sensitivity, this may be thoughtfully crafted or…not. Regardless of how much time your company has to assemble a security policy, it’s important to invest resources to customize it. Customizing a security policy provides 2 key benefits.
Benefit #1: It communicates to your teams that the company is serious about security.
Imagine this. Your company communicates that security is a priority. Your manager emails you a copy of the security policy, hot off the presses, and you are asked to read it and sign a document that says that you read it, agree to comply with it, and had the opportunity to ask questions. However, after you finish reading it, you realize that it makes lofty statements and uses a tone that does not match the company’s culture.
For example, there’s a statement that visitors are not allowed in the office. However, your company is based in a shared working space, working alongside other emerging companies.
You even catch a few areas where it references a different company, and you immediately suspect that the creator has probably leveraged another company’s security policy and missed a find and replace key stroke.
As soon as your teams realize that the company’s security policy is a document that primarily serves a “compliance” purpose, they interpret security as a low priority for the company. This causes teams to quickly classify information security as something we say is important to us, but deep down, we know it’s not entirely true…
Benefit #2: It will allow you to mature your security program (vs. force you to re-write your security policy).
Let’s continue with the above scenario. Suppose that 1-2 years pass and your company is now in the middle of a security audit with external auditors. When they’re done, they produce a 20 page report of gaps. They find that the company is not able to demonstrate compliance with its own security policy. This then triggers putting forth a remediation plan, which calls for revamping the security policy. The company now has to direct valuable resources (time and budget) to re-write the security policy. I expect resources to be managed responsibly. Poor administration of resources will inevitably keep me from providing value and delivering results.
To summarize, go the extra mile to customize your company’s security policy. In the end, this step goes a long way in serving your customers, teams and managing the valuable resources at your disposal.
Photo Credit: Igor Ovsyannykov on Unsplash