September 3, 2015 By Kevin Beaver 3 min read

Quick, to the point and in writing: The purpose of an information security policy is to set everyone’s expectations by outlining what’s being done or what should be done to protect systems and information within the business. Policies are a convenient solution to today’s security ailments. Or are they?

Ask any executive and it would certainly appear that way. High-level managers often say, “Yes, we have a policy for that.” Auditors will say something similar. It’s commonly, “We have A, B and C policies, and they’re helping us ensure compliance with X, Y and Z regulations.”

Odds are that IT and security admins will say something completely different. I often hear, “I wrote some policies, but no one follows them.” It’s often not until a breach occurs that we realize the folly that most security policies represent.

I suspect that if a root cause analysis were performed on all the known breaches — especially the big ones occurring at large corporations and government agencies — we’d see that policies were documented and relied upon, yet policies failed in the majority, if not all, of the cases. I’ve seen and heard of countless organizations that have security policies for this or that but have never even performed a security assessment, have minimal security controls and have no program for such oversight moving forward.

The Problem With Your Security Policy

Security policies can create a dangerous false sense of security and can end up being used against you in a court of law. Looking at this from the plaintiff’s perspective in the case of a data breach, it won’t take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security. That’s already happened in some bigger cases, and it’s certainly playing out in others right now. Now that it’s confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.

Anyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc. But it literally means nothing when these policies are not enforced, which is often the case. Rather than it being the oft-cited “glitch” causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.

Don’t get me wrong: I feel for those in charge of information security today. Given the lack of support from management, poor decision-making among users and overall information systems complexity we see today, it’s no doubt one of the most challenging professional jobs of our era, especially given what’s at stake. I don’t envy that role at all.

Talk Is Cheap

Not enough is being said or done about ineffective security policies. It cannot be stressed enough: Policies are not everything. In fact, they’re nothing without substance to back them up. Organizations that have no policies at all yet have otherwise solid information security controls are light-years ahead of the pack.

Who would I want to collect, process and store my sensitive personal information? No doubt the businesses with true security substance rather than mere documentation that’s not being enforced. Think about this from the perspective of your business. Would you feel comfortable with how information is handled if you were a customer? More importantly, are your lawyers willing to defend how things are being run?

We know that talk is cheap in many aspects of business, but I can think of no place where it’s more evident than in information security. We’re seeing this very issue play out in the courts today. It’s time to start unchecking those boxes and do what’s right before a third-party expert or analyst calls it out and you’re forced to act.

More from Risk Management

2024 trends: Were they accurate?

4 min read - The new year always kicks off with a flood of prediction articles; then, 12 months later, our newsfeed is filled with wrap-up articles. But we are often left to wonder if experts got it right in January about how the year would unfold. As we close out 2024, let’s take a moment to go back and see if the crystal balls were working about how the year would play out in cybersecurity.Here are five trends that were often predicted for…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today