Simplicity is your best security tool
Advanced is not always best. When we're talking about communicating and implementing security, simplicity is king. Let me explain why:
Security is about trust. To people not working with security, it tends to be a nuisance because, let's face it: implementing security in a way that makes somebody's life easier is a unicorn. It's possible but rarely happens.
As a rule of thumb, security is cumbersome. Employees in your company need to have faith that it makes sense for things to become more cumbersome. That happens with the use of two simple tools: simplicity and trust.
I don't know about you, but long and complex sentences with words I don't really understand confuse me. I hate being confused.
When we're talking about security policies, I like them short and simple. When it's simple and makes sense to me, I understand. I understand why. And when I understand, I trust.
The 'why' part is extremely important to me. If I don't understand why I'm doing something, don't count on me doing it.
I'm guessing it's the same for you. Because you're an intelligent and free-thinking person, just like me.
领英推荐
So, back to security policies. They need to be short and simple. Because then I understand, you understand - we all understand. And when we understand, we adhere. We're compliant. In other words: short and simple is, to me, the foundation of compliance.
In simple, positive wording, security policies describe what you should do to keep your company secure. That's where the positive wording comes in: They don't describe what you're not supposed to do and what is not allowed - only what you should do and what is allowed.
A policy doesn't go into details about how a certain policy should be adhered to in practice. That's where processes and procedures come into play.
But that's another story.
For now, all you need to know is that policies should be simple so that everyone understands. Because if they do, they will partake in the daily work of keeping everybody secure.
It's as simple as that.
Endpoint Management and Security Specialist
1 个月Awesome thoughts. Def think I will keep this in mind when refreshing our policies. Makes good sense, especially when you don't have big bucks to spend on enforcement and internal audit personnel. Make people nod their heads and think "yeah this makes good sense".
Cybersecurity Architecture | Network Security | Application Security | Cloud Security | Master's in Cybersecurity
1 个月Spot on Klaus A. , absolutely 10/10 article! The main job of the Cybersecurity domain is to make it EASY for others to stay safe.
Building a more cyber secure world, one person at a time
1 个月Spot on Klaus A. I once worked for a company where the Infosec policy was 90 pages long, full of text. The number of people who read it? Zero. We then changed and moved to a 3 page policy which was bright, colourful and had simple messages. People engaged with it because it was accessible. Most non-security people simply don’t care about security. But by making it simple to understand and relevant to their everyday experience you hit a number of key adult learning principles at once.
I totally agree on this message. But you already know that ?? I also really love how our conversations can jump from Drangonlance to security culture to kids' coding and stickers and then easily jump from there into security policies. Few can keep up with me when I get going on some of my favorite topics but you really excel in following my popcorn brain, when it "pops" ?? Thanks again for dropping by Klaus A.. Let's do so again soon?