By Craig Burland, CISO, Inversion6
Planning your next move to reinforce the organization’s cyber security posture? Take a moment to look away from that shiny new tool and cutting-edge technology. As impressive as “it” – XDR, AI-powered detections, orchestration — may be, technology is not the be-all and end-all of your organization’s defense. Implementing a collection of best-in-class tools may appease the board but won’t guarantee an incident-free year. Regardless of the mix of your cyber security controls, technology alone can’t overcome poor decision-making, rectify deep-seated ignorance of cyber security or transform your users into cyber security mavens. Unsettling? Indeed. Unexpected? Not at all.
The reality is that the core of your cyber security posture isn’t simply technological, but rather an often understated and overlooked factor: policy. An organization without policies is analogous to the American wild west of the late 19th century. Laws existed but few knew them; enforcement varies wildly from town to town and situation to situation.
Policies help bring order to the chaos of a highly decentralized system by informing decision makers. Savvy organizations grasp this reality and approach the cyber security landscape with a clear perspective. They recognize that crafting comprehensive policies is a strategic investment, not a bureaucratic necessity.
As a cyber security leader, now is the perfect time to champion policies. While CEOs and CFOs fret about a recession, make policymaking your key investment for 2023. Embrace principles like “a security-centric culture” and “proactive, people-focused governance” to develop defenses that prove more robust, adaptable and cost-effective than those solely reliant on technology.
The Indispensable Role of Policies
Well-written policies represent more than a series of dos and don’ts. They serve as a roadmap, guiding your organization through the complex terrain of cyber security. They document the organization’s regulatory requirements and aspirational cyber security posture. They establish norms and expectations, delineating the route for everyone to follow. Contrary to common practice, policies should be the foundation of the cyber security strategy. Whether it’s enforcing multi-factor authentication, handling confidential data or adhering to incident response protocols, policies provide clarity, direction and justification.
A Guiding Force in Decision-Making
The “people, process, technology” triad is a foundational concept in cyber security. Despite having top-notch tech and processes in place, the “people” component can potentially weaken your defense. But with sound policies in place, you can transform this potential vulnerability into a strength. Policies guide individuals towards sound decision-making, fostering a culture where everyone plays a part in strengthening the defenses. They are your dependable guide in handling complex cyber security situations, offering a set of principles to help users navigate this intricate domain. Policies ensure that each decision contributes positively to your organization’s defense, rather than compromising it.
Policies at the Center of Awareness
Beyond setting direction, policies serve as educational tools. Thoughtfully designed policies promote good practices and underscore the importance of compliance. Not every team member needs to be a cyber security specialist. But leaving them uninformed is a serious mistake. Once written, policies must be shared broadly and consistently. They should be the cornerstone of your awareness campaigns with constant cross-references and reinforcement. Consider a DevOps team working at high speed to deliver new functionality. An awareness of the solution development lifecycle policy may make the difference between a developer opening an unprotected cloud workload to the internet and making a smarter choice.
Leadership and Policy Implementation
Leadership’s role in policy implementation is often underestimated. Management sets the tone for policy adherence, creating an environment of compliance and respect for cybersecurity rules. Leaders must not only follow these rules but hold regular discussions about security, address breaches promptly, reward compliance and encourage continual learning. Moreover, leaders should ensure that policies keep pace with the rapidly evolving cyber security landscape. This involves regular reviews and updates, reflecting the latest threats and best practices.
Technology Follows Policy
Teams all too often let technology dictate their strategy, essentially outsourcing their thinking to the vendor’s protect managers. Why turn on MFA? The wrong answer is because your provider suddenly offers it. The right answer is because your policy requires it, stemming from an analysis of the regulatory environment and your threat profile. Monitoring, encryption and patching all follow a similar path. Technology should serve to enable and enforce policy rather than drive it. Post-implementation, analytics tools can monitor compliance trends and exceptions, indicating the need for additional training or stronger controls.
The Unseen Champion: Policies
In conclusion, good cyber security isn’t only about state-of-the-art technology. It’s centered on people – their understanding, their decisions and their actions. Guiding all these elements are your policies: the unseen champion of your cybersecurity defenses. More than a list of rules, they shape behavior, inform decisions and fortify defenses. In this evolving digital era, people are a constant. As you sit through a demo of the newest cyber security gadget, remember the silent sentinel – policies – and make the smarter investment.
About the Author
Craig Burland is CISO of Inversion6. Craig brings decades of pertinent industry experience to Inversion6, including his most recent role leading information security operations for a Fortune 200 Company. He is also a former Technical Co-Chair of the Northeast Ohio Cyber Consortium and a former Customer Advisory Board Member for Solutionary MSSP, NTT Globhttp://www.inversion6.comal Security, and Oracle Web Center. Craig can be reached online at LinkedIn and at our company website http://www.inversion6.com.
Source: www.cyberdefensemagazine.com