Avoiding the Unintended Consequences of Strict Cybersecurity Policies
Does the left hand know what the right hand is doing? Or does even the left pinky know what the left ring finger is doing? Problems can easily arise when policies, including cybersecurity ones, end up being out of sync with business, technical, legal or regulatory requirements.
The situation becomes even more severe when policy drafters end up with some stringent rule that leaves process or technology owners befuddled. Imagine if you have a recovery objective that does not obey the laws of physics. (Think: “policy requires a recovery time of five minutes” but your current architecture does not allow you to recover for at least an hour.)
Unintended consequences of overly strict cybersecurity can end up damaging a business and internal relationships.
Regardless of the role you are in now, it is quite likely that, at least once in your career, you have paused – likely out of frustration or exasperation – and openly wondered, “Does the other side of the house actually know what we do here and what we need to work?”
If you have found yourself in a case like this, you may have also witnessed the workaround. Users circumvent policies and rules just to get their day-to-day work completed.
Let’s say a user installs unapproved software on their machine. Cases like this are sometimes known as shadow IT. Applications and other technologies end up being managed outside of the enterprise’s control. The security fallout can be disastrous. If an attacker exploits a vulnerability in the unapproved software, it could serve as an entry point or vector onto the network. Next thing you know, ransomware – the top attack type globally, three years in a row – is spreading through your system.
So what’s the answer to stopping shadow IT? How do you ensure policy aligns with real needs? In a nutshell, it takes knowing your business, stakeholder dialogue, balancing objectives and defining your risk posture and tolerance.
Policy development should be driven by actual needs. And rules must be realistic. If you are drafting policy, one of the major resistance points you may encounter is that users are fearful of the auditor. Once drafted into policy, all of a sudden staff become accountable. If the policy is very stringent, the stakeholder could end up throwing a fit, if for no other reason than for self-preservation.
Avoiding this requires a facilitator that can see all the moving pieces and understand the big picture. The most successful chief information security officers (CISOs) can balance all these conflicting (but related) priorities and needs, or at the very least, try. For CISOs, remember that your role has evolved into something much more than just deploying technical measures. Failure to adapt could result in your responsibilities being rolled into the chief risk officer position over time.
Therefore, to assist this effort, there are some quick steps that can help you navigate the big picture:
Governance issues are not easy, even in smaller organizations without much operational complexity. But governance and enforcement drive the security program. Therefore, the facilitators and drafters need to get ahead of the curve through some fact-finding and discovery.
These initial analyses with stakeholders help find workable solutions and reasonable expectations. For example, management may insist on a strict policy that facilitators and drafters realize is not realistic. What are some examples of living outside of reality?
Some guidance from Dee Hock: “Simple, clear purpose and principles give rise to complex and intelligent behavior. Complex rules and regulations give rise to simple and stupid behavior.”
This should be your gold standard for policy development. Make sure that reasonable exception processes exist. By having an escape valve, you can also convey a clear path for special and unusual requests, limiting the prospect of shadow IT.
If you nail these down, your next critical step will be ensuring your people get behind the intents and purpose of the policy. This is why, if you are in charge of policy development, you also need to be an influencer.
In the end, it is a culture issue. If the boss is skirting the rules, expect the staff to play fast and loose with the rules, too. People need to know more than just what the policy is. They need to know why it matters to them. We previously discussed some good methods on how to convey the reasons to staff, allowing them to take the need for good security to heart.
If all the right stakeholders are involved, the purpose and intent is clear, and there are mechanisms to make the process work within reason, you are on the path to mutual trust. That will get you the cultural buy-in you are looking for.
George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related ...
4 min read - This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min read - Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
8 min read - This post was written with contributions from IBM Security X-Force’s Anne Jobmann, Claire Zaboeva and Richard Emerson. February 25, 2022 Update On February 24 2022, Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM…
Does the left hand know what the right hand is doing? Or does even the left pinky know what the left ring finger is doing? Problems can easily arise when policies, including cybersecurity ones, end up being out of sync with business, technical, legal or regulatory requirements. The situation becomes even more severe when policy […]
As businesses embrace more remote users and a hybrid work model, managing user identity and access is more important than ever. Add authentication for millions of third parties and non-employees, and thousands of applications and IoT devices to the mix and you start to understand how important identity and access management (IAM) is. What Exactly […]
Today’s Security Operations Centers (SOCs) are being stress-tested as never before. As the heart of any organization’s cybersecurity apparatus, SOCs are the first line of defense, running 24/7 operations to watch for alerts of attacks and appropriately address those alerts before they become all-out crises. Yet with ransomware attacks maintaining first place as the top […]
As we celebrate Earth Day 2022, companies around the world, including IBM, are continuing broad investment in efforts to combat climate change and strive to bring new ideas to the world in support of sustainability and to make the world a better place for future generations. While the connection between cybersecurity and the environment is […]
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.