Does the left hand know what the right hand is doing? Or does even the left pinky know what the left ring finger is doing? Problems can easily arise when policies, including cybersecurity ones, end up being out of sync with business, technical, legal or regulatory requirements.
The situation becomes even more severe when policy drafters end up with some stringent rule that leaves process or technology owners befuddled. Imagine if you have a recovery objective that does not obey the laws of physics. (Think: “policy requires a recovery time of five minutes” but your current architecture does not allow you to recover for at least an hour.)
Unintended consequences of overly strict cybersecurity can end up damaging a business and internal relationships.
Are the Right People Talking to Each Other?
Regardless of the role you are in now, it is quite likely that, at least once in your career, you have paused – likely out of frustration or exasperation – and openly wondered, “Does the other side of the house actually know what we do here and what we need to work?”
If you have found yourself in a case like this, you may have also witnessed the workaround. Users circumvent policies and rules just to get their day-to-day work completed.
Let’s say a user installs unapproved software on their machine. Cases like this are sometimes known as shadow IT. Applications and other technologies end up being managed outside of the enterprise’s control. The security fallout can be disastrous. If an attacker exploits a vulnerability in the unapproved software, it could serve as an entry point or vector onto the network. Next thing you know, ransomware – the top attack type globally, three years in a row – is spreading through your system.
So what’s the answer to stopping shadow IT? How do you ensure policy aligns with real needs? In a nutshell, it takes knowing your business, stakeholder dialogue, balancing objectives and defining your risk posture and tolerance.
Step 1: What’s in Your Business?
Policy development should be driven by actual needs. And rules must be realistic. If you are drafting policy, one of the major resistance points you may encounter is that users are fearful of the auditor. Once drafted into policy, all of a sudden staff become accountable. If the policy is very stringent, the stakeholder could end up throwing a fit, if for no other reason than for self-preservation.
Avoiding this requires a facilitator that can see all the moving pieces and understand the big picture. The most successful chief information security officers (CISOs) can balance all these conflicting (but related) priorities and needs, or at the very least, try. For CISOs, remember that your role has evolved into something much more than just deploying technical measures. Failure to adapt could result in your responsibilities being rolled into the chief risk officer position over time.
Therefore, to assist this effort, there are some quick steps that can help you navigate the big picture:
- Understand what your resources are.
- Define your risk posture.
- Get in the right frame of mind by knowing your business needs and limits. Apart from obeying the laws of physics, you must also obey the law of “How much money can I spend?”. You may also need to seek some more funding from your superiors.
- Actually step up to the challenge, which, in this case, is balancing competing needs.
Step 2: Part Negotiator, Part Card Dealer, All Cat Herder
Governance issues are not easy, even in smaller organizations without much operational complexity. But governance and enforcement drive the security program. Therefore, the facilitators and drafters need to get ahead of the curve through some fact-finding and discovery.
These initial analyses with stakeholders help find workable solutions and reasonable expectations. For example, management may insist on a strict policy that facilitators and drafters realize is not realistic. What are some examples of living outside of reality?
- Investment to meet the strict requirements outweighs possible benefit
- Strict requirements will prevent business processes from operating efficiently, resulting in poor business performance or unauthorized workarounds
- The exercise is no longer focused on risk, but rather turns into a compliance checkbox routine. In the worst of all scenarios, the routine eats up so much time it impacts normal business operations.
- As a result, policy drafting – unless there is a clear-cut rule – will normally result in some jockeying, pushback and serious negotiation.
Step 3: Tie Policy and Culture
Some guidance from Dee Hock: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.”
This should be your gold standard for policy development. Make sure that reasonable exception processes exist. By having an escape valve, you can also convey a clear path for special and unusual requests, limiting the prospect of shadow IT.
If you nail these down, your next critical step will be ensuring your people get behind the intents and purpose of the policy. This is why, if you are in charge of policy development, you also need to be an influencer.
In the end, it is a culture issue. If the boss is skirting the rules, expect the staff to play fast and loose with the rules, too. People need to know more than just what the policy is. They need to know why it matters to them. We previously discussed some good methods on how to convey the reasons to staff, allowing them to take the need for good security to heart.
If all the right stakeholders are involved, the purpose and intent is clear, and there are mechanisms to make the process work within reason, you are on the path to mutual trust. That will get you the cultural buy-in you are looking for.