Policies, Policies Everywhere!


Policy is defined by culture.
We’ve all rolled our eyes whether our part has been to read, write, or accept a policy. What we’ve been doing for the most part, is no longer working for businesses and their employees. It’s time to change and market our business rules so that they are actually adhered to and work!

In a perfect world, the policy comes first. In the real world, the standards, guidelines, and procedures may be first and the policies are most likely written after. Policy should help emphasize and support the culture and if your policies are the driver of the that culture, it is much easier to get buy-in.

Part of the issue is defining the terminology and speaking the same language. The meaning of a few terms should be defined by every organization, should be solid, and they could vary depending on context. In general, regarding a data handling policy:

  • Policy - The goal or objective. This is the data we have and the policy says we have to look after it
  • Standard - Details of what you’re going to have to do to meet your policy objectives
  • Procedure - This is how we look after that data.
  • Control (IT Security Related) - This is how we put the checks and balances into it so that we can validate it.

Everybody needs to understand their role, place, and go by the rules. That is not translated well in a lot of companies. From a business perspective, we think of compliance goals and the fact that we need to keep the doors open. We need to address security policies first then get down to the technology and analysis. They all need to have the right focus and have a place within your employees’ roles.

Policies have to be aligned with business goals.
There is a huge issue with strategy, communications, and alignment when we are talking about how well the different areas of a business work together to implement policy. For the most part, security professionals don’t understand what is happening in other areas of the business. Understand what the rest of the business departments are trying to do in order to compliment what you are trying to do with the understanding that we are ALL trying to solve a problem.

The policy not only impacts a company financially, it impacts clients and your brand and all of it can be put into one of two buckets...the ability to earn revenue and be in business and how much it will cost to remain in business.

Know your audience and what their role is in the business so that you can understand their risk appetite. Target their pain points and explain to them how putting a specific policy into place can affect them and help them understand the financial risks involved. For example, if your website takes credit card payments, the IT team and the accounting team are going to be concerned about PCI (Personal Credit Card Information) policy standards. Research and use that knowledge to help build and market the policy for taking credit card payments.

Make your team(s) a part of creating and implementing the policies.
Policies are more meaningful and likely to be followed when your teams have a sense of ownership in helping to create and implement them. Your employees are your best line of defense and reason for being and staying in business.

It’s all about creating a level of understanding so that everyone is on the same page, follows the rules, and are excited about it.

Make it easy to digest.
All of us have been raised with rules since we were tiny humans. Things have changed with the world and we consume faster than we can think. Humans shouldn’t have to decode your policies. “Just tell us what we have to do and give us all the things we need to get it done! Tell us what is acceptable or not.”

We are past giving out training and exercises that only tick boxes. We now have to relate to people on a personal level. That means giving them an understanding they can use everywhere and not just at work.

If you put the work in to make policies digestable, behaviors will change, and they will work. Here are some ways to make policies a little less daunting:

  • Break down your 30 page policy into smaller 1-2 page chunks that speak to people.
  • Create cheat sheets with only the things that your people need in order to move on! (Cheat sheets courtesy of David Hundley)
  • Add callouts and footnotes to policies so they can be read and understood at-a-glance.
  • Create easy-to-read flip books like this one!

Think like a marketer and you will market your policies and create change. Understand that nobody is invested in reading a super boring 30 page document about rules. Bundle your policies up with a bow and present them as the gift they are. Now, doesn’t that sound more fun?

Whose responsibility is it?
There is too much belief in the world world that security is someone else’s problem and should be “taken care of.” Security is everyone’s responsibility and it’s a cultural thing.

In larger companies, policies are controlled with a compliance group made up of C-Level, operations, and HR individuals. It may look different in a smaller company. At the very least, someone at the C Level or operations leaders own the policy and the standards that fall under them may be owned by security.

There may be specific parts of your policy that HR handles vs IT. For example, your security team may own the policy but HR is there to help hold employees accountable.

DevSecOps teams can really make a difference and lead by example to implement new technology and policy and procedure. As long as your Development, Security, and Operations teams are walking shoulder to shoulder and forming one voice, they will be able to pull in the rest of the company as one voice.

Measure the effectiveness of your policies.
Every company and department’s definition of success is different.

Examine the relationship between your data and how it relates to risks and processes in your company in order to create effective policies. Create your KPI’s from that. Start with key areas that you think you need to improve on first. Ask yourself if the company is “alive” at the end of the day.

Don’t reinvent the wheel. Look at what’s out there, make it your own, make it better, and share it with others. NIST has great frameworks already in place that you can tailor to your own needs.


NIST (National Institute of Standards and Technology)
Practitioner's Reference for Pragmatic Security Policies
How to Measure anything in Cyber Security Risks
PCI Council 
Policy cheat sheets courtesy of David Hundley

Moderated by

  • Wizer’s hacker, Chris Roberts!