You Have Too Many Security Policies

February 26, 2015

Pull out the latest edition of your security policies. Might as well grab the standards, guidelines, secure coding standards and anything else that tells people how to be secure.

How many things in that? 100s? A thousand?

And of those thousand things people need to do, how many actually protect the enterprise from attack? How many help you secure your assets?

My guess is not many. They are likely compliance driven. Policies required by your regulators, auditors, and other parties interesting in you doing the right things.

But they make you compliant, not secure.

You in turn need to spend more time monitoring compliance instead of securing your environment. Take a simple example:

A developer sits down to write an application. How many policies do they need to follow? Can they reasonably write a program which meets your security policies? Probably not. Instead, they write the application, it’s reviewed at some later date and it turns out to be non-compliant. They go back and fix the application.

A costly mistake which may not impact the security of the organization.

Less Policies, Better Security

If you only had 12 policies in your organization today, likely everyone would know what they were. People would think about them. When they didn’t follow them, they’d do it intentionally.

And if you only had 12 policies to enforce, you’d be able to monitor them frequently and effectively. You’d be able to build them into your environment by design more effectively.

Can We Get To 12 Policies?

Today, probably not. Your regulators and auditors would run from the building screaming. But can you start eliminating policies that have no measurable effect on security? Yes. We need less things that are more enforceable to create better security.

And your job?

You can focus on securing the organzation instead of making sure everyone is compliant with policies.