Does the left hand know what the right hand is doing? Or does even the left pinky know what the left ring finger is doing? Problems can easily arise when policies, including cybersecurity ones, end up being out of sync with business, technical, legal or regulatory requirements.

The situation becomes even more severe when policy drafters end up with some stringent rule that leaves process or technology owners befuddled. Imagine if you have a recovery objective that does not obey the laws of physics. (Think: “policy requires a recovery time of five minutes” but your current architecture does not allow you to recover for at least an hour.)

Unintended consequences of overly strict cybersecurity can end up damaging a business and internal relationships.

Are the Right People Talking to Each Other?

Regardless of the role you are in now, it is quite likely that, at least once in your career, you have paused – likely out of frustration or exasperation – and openly wondered, “Does the other side of the house actually know what we do here and what we need to work?”

If you have found yourself in a case like this, you may have also witnessed the workaround. Users circumvent policies and rules just to get their day-to-day work completed.

Let’s say a user installs unapproved software on their machine. Cases like this are sometimes known as shadow IT. Applications and other technologies end up being managed outside of the enterprise’s control. The security fallout can be disastrous. If an attacker exploits a vulnerability in the unapproved software, it could serve as an entry point or vector onto the network. Next thing you know, ransomware – the top attack type globally, three years in a row – is spreading through your system.

So what’s the answer to stopping shadow IT? How do you ensure policy aligns with real needs? In a nutshell, it takes knowing your business, stakeholder dialogue, balancing objectives and defining your risk posture and tolerance.

Step 1: What’s in Your Business?

Policy development should be driven by actual needs. And rules must be realistic. If you are drafting policy, one of the major resistance points you may encounter is that users are fearful of the auditor. Once drafted into policy, all of a sudden staff become accountable. If the policy is very stringent, the stakeholder could end up throwing a fit, if for no other reason than for self-preservation.

Avoiding this requires a facilitator that can see all the moving pieces and understand the big picture. The most successful chief information security officers (CISOs) can balance all these conflicting (but related) priorities and needs, or at the very least, try. For CISOs, remember that your role has evolved into something much more than just deploying technical measures. Failure to adapt could result in your responsibilities being rolled into the chief risk officer position over time.

Therefore, to assist this effort, there are some quick steps that can help you navigate the big picture:

  1. Understand what your resources are.
  2. Define your risk posture.
  3. Get in the right frame of mind by knowing your business needs and limits. Apart from obeying the laws of physics, you must also obey the law of “How much money can I spend?”. You may also need to seek some more funding from your superiors.
  4. Actually step up to the challenge, which, in this case, is balancing competing needs.

Step 2: Part Negotiator, Part Card Dealer, All Cat Herder

Governance issues are not easy, even in smaller organizations without much operational complexity. But governance and enforcement drive the security program. Therefore, the facilitators and drafters need to get ahead of the curve through some fact-finding and discovery.

These initial analyses with stakeholders help find workable solutions and reasonable expectations. For example, management may insist on a strict policy that facilitators and drafters realize is not realistic. What are some examples of living outside of reality?

  • Investment to meet the strict requirements outweighs possible benefit
  • Strict requirements will prevent business processes from operating efficiently, resulting in poor business performance or unauthorized workarounds
  • The exercise is no longer focused on risk, but rather turns into a compliance checkbox routine. In the worst of all scenarios, the routine eats up so much time it impacts normal business operations.
  • As a result, policy drafting – unless there is a clear-cut rule – will normally result in some jockeying, pushback and serious negotiation.

Step 3: Tie Policy and Culture

Some guidance from Dee Hock: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.”

This should be your gold standard for policy development. Make sure that reasonable exception processes exist. By having an escape valve, you can also convey a clear path for special and unusual requests, limiting the prospect of shadow IT.

If you nail these down, your next critical step will be ensuring your people get behind the intents and purpose of the policy. This is why, if you are in charge of policy development, you also need to be an influencer.

In the end, it is a culture issue. If the boss is skirting the rules, expect the staff to play fast and loose with the rules, too. People need to know more than just what the policy is. They need to know why it matters to them. We previously discussed some good methods on how to convey the reasons to staff, allowing them to take the need for good security to heart.

If all the right stakeholders are involved, the purpose and intent is clear, and there are mechanisms to make the process work within reason, you are on the path to mutual trust. That will get you the cultural buy-in you are looking for.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today