Why you have to look past security policies for real improvements
Security policies are all the rage these days. I think an outsider looking in at what it takes to build and run a solid information security program, it would be to have a set of well-written policies.

After all, that's what the auditors ask for when they show up. It's also what the standards bodies emphasize. It's what the regulators prioritize. Policies equal security. Once you get your policies in place, you can kick back and, when asked, just refer people to your documentation and proclaim "that's how it's done here". Don’t laugh - I see this approach to security quite often.

In information security, there's theory (fluff) and then there's reality (the painful stuff). Most security policies are nothing more than theory. They're intangible. They're often unenforced. They're rarely followed (or even known) by the very people they apply to. Policies are often not worth the storage space that they’re occupying out on the network. On the other side of the equation is all of the harshness that we've come to know as the security basics that are often missing which creates virtually all of our problems: 

  • weak passwords
  • missing patches
  • improper endpoint protection against malware and unauthorized access
  • limited network visibility
  • web server and application flaws
  • personally-identifiable information and intellectual property that has gone unidentified and sits unprotected on network
     

I could go on and on. It's no different than how research is showing that sugar, wheat, and all the other carbs we consume without question are at the root of many of our big health problems. The “healthy whole grains” that food manufacturers, nutritionists, and doctors often recommend to fix what is ailing us are actually causing more problems than they’re solving. We have overlooked the basics of what it takes to be healthy to such a great extent that it’s costing lives and creating a huge burden on society. The same goes for the latest and greatest security products and services. We keep having all of this stuff shoved down our throats when really all we need to do is step back and tweak some systems and processes.

I truly believe that, in the grand scheme of things, security policies mean very little to the average business. I think in most situations, policies merely serve to create a façade to show that work is being done but this does nothing but create a false sense of security. One thing that you must remember: security policies don't get hacked. Instead, it's the people, the processes, and the computer systems that get abused. And, you better know what these areas are so you can address them, soon. Figuring out where you’re weak and then taking the reasonable steps to do something about it is the only prescription for real security improvement. You either have to eliminate those weaknesses, prevent information exploited, or put controls in place to minimize the impact on your business if the worst does end up occurring. 

I do agree that security policies set expectations. That’s a good thing. However, they do little to actually implement or enforce. If the information security essentials that are being exploited in incidents and breaches would be addressed, then most of the typical security policies we see in business today wouldn't be necessary. Stop taking the traditional approach to security and focus on your true priorities. Unless and until you solve your true challenges, the risks will remain.