What follows is an analogy that I have been meaning to write for years, but, like all great procrastinators, I let life get in the way.
Be warned however, I have taken significant ‘poetic licence’, and generalised outrageously, so don’t be too upset with the glaring ‘plot’ holes. I have also written this from the perspective of my own experience running, not from a true runner’s perspective. Anyway, I’m still faffing…
I have lost count of the number of times I have stated the equivalent of; “Without good policies you’ll never have real security. “. Then again, security is what I do for a living, so it’s obvious to me, but clearly it’s not obvious to the thousands of organisations who think policies are just pieces of paper you use to tick a compliance box.
Then it occured to me that maybe organisations just don’t know how to take a policy and turn it into something that can be used to both demonstrate and validate adherence to a regulatory compliance regime such as GDPR or PCI. Or perhaps just as importantly, pass a due diligence audit for a potentially huge client.
It was not that
long ago that the most senior security incumbent at the time of a data breach
was not only fired ignominiously, but torn to shreds by his/her ‘peers’ as
being anything from unqualified, to incompetent, to grossly negligent.
nothing short of pariahs.
The vestiges of
this ridiculous practice are still rife (take BA for example), but things are
changing, and we all have a Recital to thank for it:
It is with some surprise (and frankly, confusion) that I now realise not all security professionals think information security policies (ISPs) should [must!] be aspirational in nature.
By ‘aspirational’, I mean that at least some aspects of your ISPs require a greater degree of control / implementation / assurance etc. than you are currently capable of achieving in reality.
The ‘accurate policy’ proponents feel that if the policies do not reflect exactly what you are doing, then what you are doing is in violation of your own policies, thereby effectively rendering those policies useless. I assume, by extension, that they consider compliance with any regulatory regime is also nullified.