There’s been a dire lack of guidance and commentary on security policies of late. Perhaps because it’s one of the most mind numbing topics in InfoSec (possibly with the exception of data classification). But goodness gracious me?! What’s this?! Two articles published within two days on the Tripwire State of Security Blog.
Just in case you missed them, the first is mine (yes, I am blowing my own trumpet a tad) and the second is by the incredibly talented Claus Houmann (of I am the cavalry and other fame). We challenged each other to do this off the back of a lively twitter exchange. “About Policies?!” I hear you cry – yeah, actually, it really was (if you don’t believe me there’s a link to the twitter thread in my article).
Initially Claus was worried my conversational style would eclipse his more concise and structured one. No chance. He’s nudged ahead in the sharing stakes. Do I care?….Yeah a bit (but we don’t know the view counts yet 😉 ). Putting all my rabid competitiveness on one side, it really doesn’t matter. It’s for the benefit of you folk in the security game and the people you coax, educate and occasionally harangue to do the right thing:
A look at things a security policy should not be (including huge, bottomless, ownerless, risk-neutral and flat) plus suggestions for better ways and lots of links. It also provoked that week’s ‘Wednesday Wee One’ (a.k.a. tweet-size analogy a.k.a. #Analogette), which turned out to be the most viewed and shared to date. Here is the first in the linked series to give you a feel for content of the article.
Infospectives (@S_Clarke22) March 18, 2015
Beginning to think security policies are like Santa Claus. Many believe, a few have seen the real thing and the rest know the truth 🙂—
(@BrianHonan) December 19, 2012
It’s an excellent run down of exactly what the title suggests. Reminding us all why we need a written and agreed statement about security. It’s also bridged the business/security divide. Probably due to Claus’s skill at keeping language simple and still impactful. I’ve seen it shared far and wide across LinkedIn and other social media.
I said a cracking pair…let’s make that a trio. This is the riposte from Phil Huggins (@OracUK) from his excellent Black Swan Security blog. He equitably admitted this tweet (the first in the twitter exchange that kicked all this off) was perhaps missing much needed context:
Do written security policies really make much sense any more? Is a combination of technical controls and quality risk communications enough?—
Phil Huggins (orac) (@oracuk) February 03, 2015
Context he’s now eloquently re-injected in the linked article. His background of late has been in companies that thrive on agility and creativity. The kind of companies that can be hobbled by rigid rules. He was quite rightly trying to find an evolution of what we’ve all come to loathe – the compliance box-ticking policy document. What he found instead was an exchange that focused first on the bizarre notion of having no written and shared rules. A shame. Both Claus and I have read and shared his article as it is a valuable signpost to future discussions on this.
How can you align staff, partners, suppliers and customers around good security and risk practice without a traditional document set to hold it together?
I suggest one very practical step at the end of my article. Proposing we bin the old style flat documents and instead put something far more like a well structured Wiki in place. Phil, in his article, is far more focused on first class communications and education. I couldn’t agree more with him on that, as those who read my blog know. I’ve started a correspondence about this with Phil and if we hit on ways to finally relieve your policy pain, I’ll be sure to share.
The main lesson I’ve learned from this is to consistently follow my own rules e.g. to give people who’s views I interpret in my posts the right of reply. If I had done so, the original article would have had an additional valuable perspective.
So, why not grab a coffee and refresh your memory on what one is, why you need one and work worth planning to make it do what it needs to do for you and your business 🙂