How can you make a cybersecurity policy that works?

A cybersecurity policy's primary focus should be enabling business operations. Thus, its requirements will vary based on the nature of the business. If your organization operates in a highly-regulated space and maintains large quantities of customer personally identifiable information (PII), it is quite possible you will have very stringent requirements for data confidentiality. Your policy should reflect this fact. Conversely, if you are building a meme generator and do not maintain large quantities of customer PII, then perhaps data availability will be a more important consideration. Whatever the case, ensure that you don't attempt to build the policy in a vacuum. Business needs should drive its development.

A key consideration for your policy should be assigning ownership for every directive and task contained therein. Many cybersecurity policies will say things such as "vulnerabilities must be patched" or "multi-factor authentication shall be enforced" without specifying who is accountable. Only slightly better is when policies assign accountability to vague groups such as "executive management" or "the risk committee," without specifying who comprises either. Without clear ownership of individual tasks, it is unlikely they will ever get done.

You can use a template or framework, but be aware of the risks: 1. Generic templates may not address your organization's unique needs and risks. 2. They may not be compliant with applicable laws and regulations. 3. They may be difficult to understand and implement. To mitigate these risks, customize any template you use and have it reviewed by a qualified cybersecurity professional. Here are some additional tips for drafting your policy: 1) Make sure it is clear, concise, and easy to understand. 2)Tailor it to your organization's specific needs and risks. 3)Ensure it is aligned with your organization's mission and values. 4) Make sure it is compliant with all applicable laws and regulations. 5) Have it reviewed by cybersecurity professional

Establish the relationships with key stakeholders, and the need, significance of each policy. Establish a workflow, or process for approvals. Share it with the stakeholders. Follow it strictly, so you don’t damage relationships. Codifying it in its own policy will satisfy auditors

Business - rather than security - leaders should both own and communicate security policies to their teams. While cybersecurity and other advisors should absolutely assist with drafting policies and make recommendations for their communication and implementation, the core message should come from the Chief Executive Officer, Chief Operating Officer, General Manager, or similar cross-functional leader. If security policies are seen as being solely a product of the cybersecurity team, it will be much more difficult to get members of the relevant business unit to comply.

Consider how you will handle non-compliance with cybersecurity policies, and record your approach as part of the document. Many policies simply say "non-compliance can result in disciplinary procedures up to and including termination." While this is a necessary statement, it is by no means sufficient. To ensure effective enforcement, I would strongly recommend having a mandatory re-training provision that kicks in after a certain number of violations in a given time period. For example, if two or more people in the same business unit fail a phishing test within the same quarter, you might consider requiring mandatory email security retraining. This will help to identify - and fix - gaps in understanding in your workforce.

It is very important to realize that we are in a living and evolving environment. Policies we write today may not be applicable or beneficial in the future, for example password strength requirements. Additionally, as new technological advances occur, new security best practices have to be implemented. So it is important to stay connected with the current changing landscape!

Your policy should be a living document with a clearly delineated change management procedure. Annual reviews should be the minimum, but also ensure you build in the flexibility to change how you do things based on evolving business requirements or security threats. For example, if the organization is rapidly integrating Software-as-a-Service (SaaS) products using Artificial Intelligence (AI), you may want to consider tweaking your asset management and acceptable use policies to address the rapid change in your technology stack.

Here are some tips: compliancerisk.io's 4-part program helps you create and implement an effective, compliant, and user-friendly cybersecurity policy. Alignment: Understand your organization's unique needs and goals, and align your policy with them. Authorization: Identify stakeholders and develop a process for obtaining authorization for changes. Adoption: Implement your updated policy and ensure staff adoption, providing training. Assessment: Assess the effectiveness of your updated policy and make adjustments over time.

A cybersecurity policy is an important way to codify your organization's risk appetite and tolerance to ensure they align with your business objectives. Different teams and individuals might have widely varying ideas of what types of behaviors and approaches are appropriate when attempting to achieve the organization's goals. For example, a rapidly growing video game company that is quickly spinning up and down virtual machines to process game data may not need an especially stringent vulnerability management policy. Conversely, a bank with a relative stable infrastructure will need to be extremely conservative in terms of its vulnerability management policy to protect sensitive customer data. Policies make clear these requirements.

I found it helpful to list the specific controls that a policy addresses or discusses. It helps with the compliance review when aligning policy to compliance requirements.