Evangelizing about security

When IT people think about information security, their thoughts tend to gravitate toward products or technologies – the tangible elements of security.  It’s easy to understand how a firewall or an intrusion detection system can help keep your information assets secure. But what about the intangible elements of your security program – the important things that you need, but that don’t come shrink-wrapped from a vendor?  I’m talking about your corporate security policy, and your security education program. 

I recently chatted with Scott Blake, vice president of information security at BindView and head of BindView’s Razor security research team, and he reminded me how important policy and education can be in an overall corporate information security program.

“Any organization that is large enough to have any type of documented business policies should have an information security policy,” says Blake.  “Many companies don’t have a security policy at all.  Among those companies that do, the policy is often outdated or unwieldy, sitting unused on a shelf.”

Why do you need a security policy?  The objective should be to provide management direction and support for information security.  Just as it must with a hiring policy or a privacy policy, a company’s management team should clearly demonstrate its support for and commitment to information security through the issuance and maintenance of an organization-wide policy.  Without a written and “living” policy, employees could think that “anything goes” as far as how information assets are treated.

If your current policy is in dire need of an update, or if you don’t have one at all, Blake suggests that you hire a policy consultant to help bring order to the process.  “Companies tend to hire security consultants to help formulate a policy,” he says.  “But often, this kind of subject matter expert isn’t necessary.  What you really need is a policy consultant who knows how to work with diverse groups and gain buy-in from all the stakeholders.”  This gives everyone in the company a sense of ownership of the policy, and helps to eliminate the “ivory tower syndrome” that may result if the policy is developed purely by technical experts.

Once you’ve developed your policy, don’t stick it in a binder and shove it on a shelf.   It needs to be a living document, constantly adapting to your changing business needs.  For example, your policy should contain a definition of general and specific responsibilities for information security management.  These responsibilities will change as your company changes.  Consider telecommuting.  This growing business trend shifts much of the responsibility for information security from the data center department to the home office worker.

Another critical aspect of a strong information security program is a commitment to educating your employees.  BindView’s Blake recommends security training that motivates people to do the right thing.  “You want to maintain consensus on protecting your information assets,” Blake says.  “The policy and procedures you develop won’t work if you don’t keep them current on people’s minds.”

Blake advocates more than just “how to” training.  He recommends you teach people about the risks and vulnerabilities your company faces.  “If people understand the ‘why’ of information security, they are more likely to support the programs you put in place.”

For more information on creating a security policy, check out the ISO 17799 code of practice for information security management at http://www.iso.org   The Computer Security Research Center of the National Institute of Science and Technology also has good information on security policies, training, and technologies.  Visit this center at https://www.csrc.nist.gov/

If you’re looking for a tool to help you keep your policy live and up to date, check out BindView’s Policy Operations Center that was developed, in part, by Blake’s Razor team and Meta Group.  Learn more at https://www.bindview.com/products/PolicyCenter/operations.cfm

Good information security takes more than just the technology we can throw at the problem.  Good security also involves people, policy and procedures.

Linda Musthaler is vice president of Currid & Company.  You can write to her at mailto:Linda.Musthaler@currid.com