POWER TO THE
POLICY POLICE:
BRIDGING THE GAP BETWEEN
SECURITY AND COMPLIANCE
Andrew Tsonchev, Director of Technology,
Darktrace Industrial, discusses the role internal
security policies play in making the life of a
security officer easier and what businesses can
do to ensure that they are enforced in a way that
keeps employees happy and engaged.
Andrew Tsonchev, Director of Technology,
Darktrace Industrial
D
espite the data
breaches plaguing
the headlines,
security teams
across the
globe struggle
to enforce the
policies they put in place. I’ve met with
hundreds of security officers over the
years working in a variety of industries,
all of whom have put in blood, sweat and
tears trying to ensure the cybersafety of
their organisation. But their efforts mean
nothing at all when they are powerless to
apply the policies they create.
Whether incidents involving rogue IT staff
or other violations, exasperated security
teams are faced with a difficult task and
can’t be left with sole responsibility for
enforcement. After all, policies take time
62
to update, which puts extra strain on
already stretched personnel.
So what role do these policies play in
making the life of a security officer easier
and what can businesses do to ensure
that they are enforced in a way that keeps
employees happy and engaged?
What’s the point?
Widely accepted as a best practice
among cybersecurity professionals,
internal security policies are a critical
element of a strategic and proactive
cybersecurity programme. Employees
not on the security or IT teams possess
limited knowledge of the cybersecurity
challenges facing corporations and
the risks their actions may pose to the
company. Therefore, it’s imperative that
businesses educate their employees
about the growing cyberthreat to reduce
the risk that they fall victim to an attack.
However, policies still don’t prevent
mistakes and we can’t expect a
document or quarterly security training
to change everyone’s bad habits or
prevent employees from ever falling for a
phishing attack. We have to leave room
for human error.
By limiting what applications employees
can use, laying out protocols for
connecting to non-corporate Wi-Fi
networks and instructing employees on
the potential risks of rogue USB devices,
companies can reduce the number of
employees involved in these behaviours,
thereby reducing the risks created by
these activities.
Issue 14
|
www.intelligentciso.com