Quick, to the point and in writing: The purpose of an information security policy is to set everyone’s expectations by outlining what’s being done or what should be done to protect systems and information within the business. Policies are a convenient solution to today’s security ailments. Or are they?

Ask any executive and it would certainly appear that way. High-level managers often say, “Yes, we have a policy for that.” Auditors will say something similar. It’s commonly, “We have A, B and C policies, and they’re helping us ensure compliance with X, Y and Z regulations.”

Odds are that IT and security admins will say something completely different. I often hear, “I wrote some policies, but no one follows them.” It’s often not until a breach occurs that we realize the folly that most security policies represent.

I suspect that if a root cause analysis were performed on all the known breaches — especially the big ones occurring at large corporations and government agencies — we’d see that policies were documented and relied upon, yet policies failed in the majority, if not all, of the cases. I’ve seen and heard of countless organizations that have security policies for this or that but have never even performed a security assessment, have minimal security controls and have no program for such oversight moving forward.

The Problem With Your Security Policy

Security policies can create a dangerous false sense of security and can end up being used against you in a court of law. Looking at this from the plaintiff’s perspective in the case of a data breach, it won’t take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security. That’s already happened in some bigger cases, and it’s certainly playing out in others right now. Now that it’s confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.

Anyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc. But it literally means nothing when these policies are not enforced, which is often the case. Rather than it being the oft-cited “glitch” causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.

Don’t get me wrong: I feel for those in charge of information security today. Given the lack of support from management, poor decision-making among users and overall information systems complexity we see today, it’s no doubt one of the most challenging professional jobs of our era, especially given what’s at stake. I don’t envy that role at all.

Talk Is Cheap

Not enough is being said or done about ineffective security policies. It cannot be stressed enough: Policies are not everything. In fact, they’re nothing without substance to back them up. Organizations that have no policies at all yet have otherwise solid information security controls are light-years ahead of the pack.

Who would I want to collect, process and store my sensitive personal information? No doubt the businesses with true security substance rather than mere documentation that’s not being enforced. Think about this from the perspective of your business. Would you feel comfortable with how information is handled if you were a customer? More importantly, are your lawyers willing to defend how things are being run?

We know that talk is cheap in many aspects of business, but I can think of no place where it’s more evident than in information security. We’re seeing this very issue play out in the courts today. It’s time to start unchecking those boxes and do what’s right before a third-party expert or analyst calls it out and you’re forced to act.