4 minute read
not fill you with dread
KAT LENNOX-STEELE
SHIFTING PERCEPTIONS OF IT AND CYBERSECURITY POLICIES: POLICY SHOULD NOT FILL YOU WITH DREAD
By Kat Lennox-Steele, Information Security Analyst and Co-Founder at Cyber Tribe and MVP
In conversations about policy you will often be met with groans, exclamations of boredom and sometimes apprehension. Writing and managing policies is seen as time consuming and requiring expertise. And it is expensive, so can easily get tossed into the too-hard basket when the day-to-day running of your business seems more important. This was my perception until I started working with companies to improve their compliance and realised the positive impact that well-structured policies could have.
Policy is viewed as one of those things you need to have to tick a compliance box and to make sure every new employee reads in their first week. Once they have been through their induction, it is unlikely they will ever see those policies again.
Traditionally policies have been seen as a mechanism to protect an organisation and are brought into bat when addressing poor employee behaviour or when they, regulations, or the law are breached. Often policies are long, verbose and full of technical or legal jargon making them difficult to consume, comprehend and retain.
After many years of conducting cybersecurity assessments in various roles our team found cybersecurity and IT policies were, for most companies, often a shortcut to achieving compliance. But why is policy so underrated and underutilised?
People are at the centre of our businesses, clubs and communities with technology as another layer or enabler. Policy at its core is about people. If we change our perspective, policies represent a tool that can be used to help, not just to enforce rules and dish out punishment.
Changing people’s perceptions of policy might seem like a hard sell, but when used correctly
policies can foster a culture of commitment, personal responsibility and self-regulation by clearly communicating boundaries, expectations and accountability within your team. Good policies also let you team know where to turn to for help.
Policies are the top tier of the cake, and the supporting layers are standards and procedures, the ‘how to’ detailed, directive guides. Using these tools together brings uniformity to operations, and they can be used as training tools, reducing the risk of an unwanted event. Effective policy creates a business environment that is efficient, fair and responsive: one that encourages justified decision making and promotes good business and cybersecurity practices.
Once you have policies in place you can then easily align your information and cybersecurity strategy to the aims and core principles of those policies and use them to guide the creation of a roadmap for the implementation of controls to meet the needs of your organisation.
Initiating change will always be tough. When attempting to introduce policy to an organisation or alter existing policies, there are a few key considerations to ensure success. Not everyone in your organisation will need to be across every single policy, and I recommend allocating policies according to roles, personas or location. Look at the culture in your teams when creating your plan for rollout and decide on the best vehicle to tackle it. This might be a team meeting, a newsletter or a competition between departments or teams. It could also be important to choose an appropriate time: an accounting firm would be unlikely to appreciate a policy rollout at the end of the financial year.
A policy should address a real need in your organisation. Helping everyone to understand some of the benefits it will bring can help ensure better uptake and commitment to the desired ways of working. Buyin from those at the top will also help the messaging filter down through your ranks. Requesting feedback, having an open forum or providing a point of contact for anyone to ask questions can also keep your team engaged and supporting the idea that policies are a tool, not a one-time thing. Feedback also provides visibility of support and keeps everyone in the loop.
The company I founded, Cyber Tribe, aims to help lift the cyber posture of all organisations through easily accessible policy, management tools and user awareness training.
With my newfound passion for helping people with policy, I created a set of policies aligned with best practice and leading industry standards that would close the identified gaps. One of my main goals was to compose policies that would be concise and easily understood by the reader without loss of the critical messaging. We have developed a SaaS policy management solution, Impetus, to democratise access to these policies for organisations of all shapes and sizes.
One of the biggest pain points for organisations I have worked with has been the storage and management of their policies and the recording of who has read and acknowledged them. Impetus acts as a repository to keep all policies in one place. Once users have been granted access, they can view the documentation at any time. This allows people to use policies as living, breathing tools that can, with some quick editing, easily evolve whenever changes occur. Each user is also required to digitally accept the policies, providing a record for auditing purposes. Additionally, Impetus will also notify the policy owner when it is time to review and renew a policy, enabling compliance to be maintained.
Policy control is one of the essential controls we need to normalise and use better in our businesses. Using policies as tools to support and empower people while fostering an improved cybersecurity awareness culture can only be a good thing.
www.linkedin.com/in/klennox-steele
www.cybertribe.co.nz
www.minimumviableprotection.com
www.capacitategroup.com