YOU'RE EITHER DOING IT RIGHT
OR YOU'RE NOT DOING IT RIGHT
DO IT BEST
Here's our approach to security policies and procedures:
1. There is a best way to do things, which is unique to your organization
2. You should ALWAYS do things the best way, rather than some inferior way
3. To guarantee that this, you must
- write it down
- teach it to everyone it affects
Pretty straightforward, but you'd be surprised to hear that most organizations don't get very far on that list. For example,
1. Are you doing things the best way?
Are you using a canned policy that you got from someone else, and which doesn't really work perfectly for your organization? Is there a better, or more efficient, way to do things? Perhaps you've already started using that better way, despite what the policy says. Have you gotten a fresh set of eyes on it, to help untangle any of the sticky parts?
2. Is your policy consistently followed?
A policy can be amazing, but if it's only followed intermittently, it's a roll of the dice to find whether it's helping you or not.
Try this exercise: pick any aspect of your security policy, walk over to the first employee you see, and ask them to articulate it to you.
Do you think they'll be able to?
The reality is that even if you think your policies are being consistently followed, your employees might give you a different answer.
3. A security policy gives you NO PROTECTION if all it does is gather dust on your shelf.
If that's all yours is doing, perhaps the problem is with the policy. How much better served would you be by processes custom tailored to your organization? Processes that
Emphasize your people's strengths, and account for their weaknesses
Recognize the fact that security is not your core business, and make every effort to minimize inconvenience
Focus on protecting you against REAL security risks, so you don't waste your time
At Castellum, solving security processes is our great strength. The picture at the top of this page could be our coat of arms. When done correctly, security processes are a force multiplier for your organization, because they are the only thing consistently standing between you and those who would steal from you.
Time to replace that dusty policy binder. Let's do it right from now on.