Quick, to the point and in writing: The purpose of an information security policy is to set everyone’s expectations by outlining what’s being done or what should be done to protect systems and information within the business. Policies are a convenient solution to today’s security ailments. Or are they?

Ask any executive and it would certainly appear that way. High-level managers often say, “Yes, we have a policy for that.” Auditors will say something similar. It’s commonly, “We have A, B and C policies, and they’re helping us ensure compliance with X, Y and Z regulations.”

Odds are that IT and security admins will say something completely different. I often hear, “I wrote some policies, but no one follows them.” It’s often not until a breach occurs that we realize the folly that most security policies represent.

I suspect that if a root cause analysis were performed on all the known breaches — especially the big ones occurring at large corporations and government agencies — we’d see that policies were documented and relied upon, yet policies failed in the majority, if not all, of the cases. I’ve seen and heard of countless organizations that have security policies for this or that but have never even performed a security assessment, have minimal security controls and have no program for such oversight moving forward.

The Problem With Your Security Policy

Security policies can create a dangerous false sense of security and can end up being used against you in a court of law. Looking at this from the plaintiff’s perspective in the case of a data breach, it won’t take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security. That’s already happened in some bigger cases, and it’s certainly playing out in others right now. Now that it’s confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.

Anyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc. But it literally means nothing when these policies are not enforced, which is often the case. Rather than it being the oft-cited “glitch” causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.

Don’t get me wrong: I feel for those in charge of information security today. Given the lack of support from management, poor decision-making among users and overall information systems complexity we see today, it’s no doubt one of the most challenging professional jobs of our era, especially given what’s at stake. I don’t envy that role at all.

Talk Is Cheap

Not enough is being said or done about ineffective security policies. It cannot be stressed enough: Policies are not everything. In fact, they’re nothing without substance to back them up. Organizations that have no policies at all yet have otherwise solid information security controls are light-years ahead of the pack.

Who would I want to collect, process and store my sensitive personal information? No doubt the businesses with true security substance rather than mere documentation that’s not being enforced. Think about this from the perspective of your business. Would you feel comfortable with how information is handled if you were a customer? More importantly, are your lawyers willing to defend how things are being run?

We know that talk is cheap in many aspects of business, but I can think of no place where it’s more evident than in information security. We’re seeing this very issue play out in the courts today. It’s time to start unchecking those boxes and do what’s right before a third-party expert or analyst calls it out and you’re forced to act.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…