Don’t write CyberSecurity Policies that nobody will ever read or even use!
When asked whether they have defined CyberSecurity policies, many CISOs answer: “Yes, of course! Even reviewed on a regular basis!…”
However, when asked whether all users know where to find them, how to search into them, and whether they always find what they were looking for in due time, it’s another story…
Many companies write policies only to comply with regulations or to pass certifications. This policy exists, check. That other has been reviewed, check. But nobody cares.
Worse is that, finally, no-one even knows what should be observed or complied with. Even worse, everyone prefers to ask the CISO or his/her team about it. It’s quicker than taking a couple of minutes (best case…) to search in the policy! Guess what? The more you answer, the more you’ll get questions!
Indeed, nothing prevents inconsistent answers from being given, either due to the turnover of CyberSec team members, their availability, skills, etc. And in any case, isn’t it a pure waste of time?
A good indicator is the number of times the CISO or his/her team has been able to use the written policies to avoid spending time writing accurate and exhaustive answers. Instead, they’re able to simply say : “please refer to such article from such policy, which should clarify everything, in a consistent and efficient way”.
OK, but… to do so, policies must be properly written. They must be short and straight to the point. They must be clear, accurate and exhaustive. They must include the mandatory rules, but also the recommendations and the allowances (that are not recommended, but only tolerated). They must be properly structured, but also be mapped over well-known reference documents (standards) available. And, of course they must be updated as soon as necessary. Not only once a year 🙂 .
Writing different policies instead of a single one is quite old-fashioned. Rather than splitting policies into different documents, I would believe it’s a better idea to use Intranet search engines to make sure to find the right article as quickly as possible.
Of course, with such an objective, there are far less companies that may consider to manage CyberSecurity policies in a mature way.
But when they do, they benefit from the full power of efficient documentation, spend far less time to explain what businesses must comply with, and avoid a lot of frustration: indeed, CyberSecurity team is much more “predictable”, and its reputation is drastically reinforced!