Fresh Thoughts #121: Why Security Policies Keep Getting Longer and How to Stop it
- Newsletter
Roughly half of the earth's population will vote for their government in 2024.
Each making a choice on which direction they want their country to be taken...
...and what new laws and rules should be created.
In a new environment, creating efficient, streamlined sets of rules is straightforward.
But, with time, more unforeseen situations arise.
Leading to more edge cases and rules.
And longer policies.
And more guidelines.
I think of rules as fences.
Boundaries.
Stay below the speed limit, and you're within the fenced area.
Everyone is happy.
Exceed the speed limit - and you have crossed the fence line.
That's the land of Not Acceptable.
Every new rule - every new fence - subdivides an area.
Making it less efficient and more challenging to navigate.
And so we start to wonder - Should we remove some of these fences?
But which ones?
Unfortunately, the memory of why the fence was erected in the first place is long gone.
And a conservative nature tells us - Don't remove it, just in case.
So the fences stay.
And policies get longer, with more rules.
How to Stop Endless Growth?
I use two approaches.
First, the quick-win approach.
Delete all rules containing the words “should” or “may”.
When economies are booming, ideas and ideals that are “nice to have” creep into policies.
But in more challenging economic times, attention quickly switches to - What are the essential things I must do?
Anything beyond the fundamentals is unnecessary.
As IT and cybersecurity are both necessary costs of doing business, we must continually operate in the model of tough economic times.
So the nice-to-have “shoulds” and “mays” automatically fall within unnecessary costs - and must be removed.
The second approach I advocate is - periodically redraft policies from a blank sheet of paper.
Once every 5 - 7 years, run a project that asks - If I was creating the policy from scratch today, what would it look like?
The intent is not to recreate detailed wording for each policy but to highlight which rules remain relevant.
Recently, I reviewed an Acceptable Use Policy that described in detail the approvals required to connect a personal laptop to a wired RJ45 network port.
Unfortunately, none of this was relevant as the business had moved to a wireless-only network 5 years ago.
There was no reference to wireless at all in the policy.
No mention of tablets or phones.
It was written from the perspective of 2007...
The pre-iPhone era.
Final Thoughts
I've written previously, policies and rules are critical.
Without policies and processes to enforce them, staff do not have rules on what is and is not acceptable.
And there are limited ways to stop staff from taking personal copies of sensitive business data.
But, equally, ever-growing policies cause issues for conscientious staff and hurt businesses.
Having regular - yearly reviews - helps limit the unrestricted growth of policies.
However, occasionally, starting with a fresh page and doing a more detailed rework is essential.
June 4, 20243 Minutes Read
