Fresh Thoughts #21: The "I've got a policy you can use..." Insult

privacy please sign

This week we've been talking a lot about alignment. At Fresh Security, we've created many policies and procedures to ensure that (once we've got an idea working) we're all pulling in the same direction.

Policy: Keep It Simple

Policy: keep it simple.

Write what you do.

Do what you write.

The "I've got a policy you can use..." Insult

Cybersecurity policies have a bad reputation. It's well deserved, but it doesn't have to be this way.

The idea of a policy is to document the unique guiding principles of your business. A way to explain to your team and new employees, "This is the way we want to do things around here." And procedures quickly follow, "This is how we practise our principles."

So you would think cybersecurity policies should be a case of - we've decided on these principles based on our risk appetite, and this is how we implement them.

Unfortunately, in security, this is rarely the case. You see, there are two ways cybersecurity policies are created:

  1. Pay a knowledgeable contractor thousands to understand the way your team works. Document what they find and overlay best practices.
  2. Do a Google search. Find and replace {{enter_company_name}} with the name of your business.

I've found it's a point of pride in the industry that cybersecurity policies are free. "I've got a policy you can use..." is a phrase designed to find favour... not realising the insult it is.

Why do well-known brands spend thousands when smaller businesses are offered find-and-replace templates?

The brands realise that the way they work is part of their unique value. The individual experiences they create add value to their customers. They also realise that your operations are more complex and have nuances as you grow. There is no off-the-shelf operating manual to be John Lewis, Uber, or the NFL.

While it's true that smaller companies are more straightforward. And there are only so many ways to configure Microsoft or Google... these claims miss the autonomy of decision-making and processes that all businesses have.

"Every business has its own risk appetite." is a sacred security mantra... until it comes to writing policies and procedures. Then all businesses are the same - because it's easy and not worth the time.

We believe every business was founded for a reason. It's why our teams push to achieve our goals. And how we get to those goals creates differentiation and unique ways of working.

Cybersecurity should be a background, business-as-usual task that keeps you safe while achieving your business goals. So your documented principles and the way you work should reflect your unique situation.

June 28, 2022
2 Minutes Read

Fresh Thoughts to Your Inbox

Fresh perspectives on cybersecurity every Tuesday. Real stories, analytical insights, and a slash through buzzwords.

We'll never share your email.

Related Reads

chalk board with math formulas

Fresh Thoughts #18: Policies, Plans and Bad Weather

In business, there's a plan. But unlike a boat with a rudder and propulsion, there isn't a mechanical way to translate the plan into action. In business, we use policies.

Subscribe to Fresh Thoughts

Our weekly newsletter brings you cybersecurity stories and insights. The insights that help you cut through the bull.

We'll never share your email.


Fresh Security Support

Your Questions


Fresh Sec Limited

Call: +44 (0)203 9255868