What Security Policies and Car Brakes Have in Common
When we think about why cars have brakes, the obvious answer would be to slow the vehicle down. While this is true, the real benefit of brakes is to allow you to drive faster. The better the brakes, the faster you can go, confident that you can stop quickly if needed.
We can think about IT security in the same way and how an effective security policy is like the brakes on a car.
Here’s why:
By defining a strong security policy, what organizations want to accomplish is to enable communication between the people who own the business processes and the business outcomes with the technical people who are responsible for implementing and securing the data. Success requires finding a common language that focuses on a company’s data: where it is, who needs it and how to protect it.
In our experience, the most effective security policies are often the simplest and expressed in a meaningful language to the business. People talk about it, people can implement it, and every time a new application is introduced or a new data requirement comes along, the wheel does not need to be reinvented. The business can drive forward faster with confidence and has the mechanisms to stop if required – just like brakes on a car.
As an example, we worked with an organization that would require three or more weeks to implement a firewall rule for a new data requirement. After going through the steps and defining an effective policy, IT could do the same task in a couple of hours. Why? Everyone was speaking a common language about their data and the policies that needed to be implemented to protect that data. The business could move forward faster.
Three Steps to a Simple But Effective Security Policy
Too often, technology solutions get ahead of the business and security projects become focused on bringing in the shiniest, newest products. While a half-million-dollar firewall can do great things, without a policy behind it that understands the company’s data, it’s a false solution.
We’ve found that a strong IT security foundation is built by following these three steps before considering the implementation of security solutions:
Step One: Governance
Defining governance starts by identifying the roles and responsibilities of ownership, implementation, staffing and operation of security tools.
By identifying the people involved, we can begin to open communication channels and simplify the language so that all parties can understand.
Often, an imbalance between the business side and the technical side results. In some cases, the technical people are trying to protect the business in ways that make sense to them but don’t serve the business. Vice versa, business executives can create barriers such that the technical side is unable (or unsure of how) to get the job done.
Step Two: Data Classification and Inventory
Once the people and the accountability framework are identified, the focus can turn to the data. Walking through all the data a company has and where it resides really helps to simplify the conversation. A lot of times, companies are unaware of where their data lives.
Our experience has shown us that companies that have had the most success at connecting business executives with the technical side have had meaningful conversations about their data and spent time classifying data into a common language.
What do we mean by a common language? Data classification requires sorting data into a finite number of classification zones so that an organization can simplify and scale the use of it to define appropriate policies for the type of data.
It is common for the number of data classification zones to differ between each organization. Some organizations may have three zones, while others may have up to five. It is dependent on their security targets and what language makes the most sense to the business’s data.
Three common data classification zones we frequently see are:
- Public information – data that can be found in public spaces, such as on websites, in phonebooks, etc.
- Business information – data that is important to the business’s function and which they would not want in a public space.
- Secured information – data that would hurt the integrity of the business if it were released, such as customer data, medical information or financial information.
A variety of data types will fall under different zones based on how a business wants to protect it. As a result, the security policies to protect that data classification zone will differ from other zones.
Step Three: Policies
Using a finite number of classification zones allows an organization to build in advance what the permitted and appropriate policies and rules will be for each type of data.
As part of this process, the business is able to step through the seven security hygiene tools to determine what the necessary requirements for each data classification zone are. This could be requirements around authentication, backups, encryption and more. You can read more about the seven security hygiene tools here.
Overall, understanding data and how best to protect it is fundamental to security policy. The key is it should be simple – simple enough that business executives can understand it, such as having the policy written into a half-page summary – and that it must be actionable so that IT is able to effectively do their job.
Every organization should go through these three management process steps before starting to deploy security solutions. It’s a critical first-stage to good security hygiene and safeguarding your data.
Getting Started with Your Security Policy
Even though a security policy should be simple, getting started isn’t always easy. Many of us need an extended team to help inventory and classify our data and determine the appropriate requirements to protect it. If you’d like to discuss further, feel free to reach out to us. We’d like to hear your feedback and thoughts on this blog post.