Updated: Jun 17, 2020
Formalizing your cybersecurity program can seem daunting or even unnecessary, but it is an important step in advancing your cybersecurity program. Formalizing your program leads to improved security posture, higher program performance, and decreased cybersecurity risk. Successful cybersecurity programs are characterized by their ability to consistently produce desirable results while also being adaptable to the threat landscape. To operate at this level, policies and procedures must be formally documented, approved by key decision makers, and properly distributed throughout the organization. Continuous maintenance and review are necessary in order to keep pace with the ever-changing threat, vulnerability, and compliance landscape.
For the purposes of this publication I wanted to briefly highlight the difference between policy and procedure. As high-level statements, policies are requirements and standards which the entire organization must adhere and typically approved and implemented by senior management. They tend to be prescriptive rather than descriptive and as such, less subject to change. Procedures, on the other hand, are step-by-step instructions that describe how to perform a specific process or set of processes. They are created and maintained by data/process owner(s) and will change more regularly than policies. While they do not require senior management approval, they must support the organizational policies unless an exception is requested, approved, and documented in accordance with organizational policies.
With the basics of policies and procedures in hand, let’s move on to the burning question—why formalize your cybersecurity program?
Without senior management support, successful implementation of a formal cybersecurity program will be difficult, if not impossible. Implementation and budget prioritization are key to green lighting any cybersecurity program which in turn can alleviate burnout, strained relationships, and help eliminate unnecessary turnover of cybersecurity professionals. Having top-down and necessary resource support, the cybersecurity team is empowered to advance the program and manage IT-related risk. Furthermore, senior management approval makes the policies enforceable and conveys to everyone in the organization that cybersecurity is a shared responsibility.
In the words of author Bob Proctor, “Accountability is the glue that ties commitment to the result.” Policies and procedures play an important role in defining and enforcing accountabilities for specific processes. As Bob Proctor alludes to, things get done when people are held accountable. Strong policies clearly define accountabilities for everyone in the organization—from the board room to the cubicle—while strong procedures describe how and by whom specific processes are to be performed. Together this formal documentation sets expectations for all personnel and ensures that processes support organizational security objectives.
Given high turnover rates and a growing talent gap within the cybersecurity sector, it’s crucial that organizations maintain a repository of knowledge related to processes and procedures. Doing so creates consistency, lessens the adverse effects of turnover, and reduces onboarding/training time for new personnel. It also bolsters the organization’s collective capability and resilience by equipping team members with a resource they can use to complete unfamiliar activities, learning new skills in the process.
Measurement & Optimization
Many organizations lack visibility into their cybersecurity programs. While they may be able to undergo internal/external assessments for point-in-time snapshots, they lack continuous measurement capability. This presents a significant challenge when it comes to advancing the program since, according to the father of modern management, Peter Drucker, “If you can’t measure it, you can’t improve it.” Furthermore, they often lack the capability to validate security control effectiveness, which provides meaningful insight into the security program’s true security posture. Policies and procedures can be used to ensure that the program is measurable and its performance is reviewed regularly to facilitate continuous improvement and optimization.
If you’re in an organization that’s subject to regular audits, you know that documentation is one of the first things auditors will ask for. This makes having a formalized cybersecurity program a necessity. Formalized policies and procedures show auditors that you have things under control and instills confidence in your program’s ability to manage risk. They also make the process run much smoother and will take up less of your time since the documentation will answer many of the auditors’ questions. Given the increasingly complex threat, vulnerability, and compliance landscape, having a formal program is the only way to ensure that you’re properly managing risk.