Traditional InfoSec is Failing Us

rusty, dilapidated old school bus

Published on

October 12, 2017

Published by

Rocio Baeza

Category

Share This:

Let me let you in on a little secret. Most security policies are really bad. I should know, I’ve seen many of them throughout my career. This is what I usually see:

Security Policies Are Long

Result: Very few employees read them.

In my experience, it’s common for a security policy to be between 20-90 pages long. No joke, that is the norm. This is a problem because it means that it’s very likely that most of your employees are not reading it, even though they signed a document that says that they did. If your employees are not reading these policies, do you think they will know what to do and not do? Probably not.

Security Policies Use Lots of Jargon

Result: Very few employees understand them.

I hate jargon. Security policies filled with jargon forces me to use a dictionary for every other word. This is a problem because my focus shifts from trying to understand a security policy to being reminded that I need to work on my vocabulary. If security policy does not clearly articulate security expectations, will your employees understand how the policy applies to them? Again, probably not.

Security Policies are Written with No Input from Teams

Result: Teams don’t get on board with security.

Security policies are oftentimes written by a person sitting in their office with their door closed. This means that someone is deciding the security posture of an organization without input from the leadership team, colleagues, etc. This is a problem because it quickly places the onus of security on that person, causing the rest of the organization think that security is something they don’t have to worry about. This is a big problem because security is a business problem!! Whomever is charged with developing a security policy needs to understand how others feel about security, build on commonalities, and strategize how to get folks to take a position on areas that need additional discussion.

In Short: Most Security Policies Suck

This is a problem. The cybersecurity industry already has a backlog of unfilled positions. If we continue to produce more cybersecurity professionals replicating the problem, it’s not going to strengthen our cybersecurity defenses.

Rocio Baeza

An information security compliance professional specializing in the FinTech space. She has over 12 years of experience in the online payday lending industry and tech startup culture. Rocio enjoys listening to podcasts and bicycling with her family.