Expert Cites Big Problem with Security Policy Compliance

Attendees at this week's SecureWorld Boston conference got a stern talking-to Wednesday morning: Keynoter Charles Cresson Wood said organizations need to get their information security policies in order or risk going down the tubes.

Current Job Listings

Attendees at this week's SecureWorld Boston conference got a stern talking-to Wednesday morning: Keynoter Charles Cresson Wood said organizations need to get their information security policies in order or risk going down the tubes.

Slideshow: Worst moments in network security history.

The independent security consultant said too many organizations have security policies on paper only and don't really have the systems in place to ensure compliance. He reached back to the demise of Arthur Andersen and financial troubles at Cooper Tire as being caused in large part to problematic data destruction policies.

"Does top management at your company know that the price of stock equity in your firm could so easily evaporate because of information security problems?" he asked.

"I'm suggesting that we have a major problem with compliance when it comes to information security policies," he said.

What's needed is for companies to go back to basics on information security policies, said Cresson Wood, author of numerous books on the subject, and more recently a mover and shaker in the move to alternative fuels in the name of contingency planning. Key parts of that include end user awareness and training, and making sure that IT departments stick to security policies, he said.

A huge problem is that security policies are still too reliant on people, Cresson Wood said.

"If you want a high level of compliance do not rely on humans to get the job done," he said.

"Things are going too fast in information security. A manual response to distributed denial-of-attacks, for example, is inconceivable," he added.

Scripted and automated compliance enforcement needs to be put in place, supported by intrusion detection, intrusion prevention and other tools, Cresson Wood said. Security appliances will be documenting and vouching for policies, producing admissible evidence that can be used if disaster strikes and legal issues ensue. "Something like a black box when an airplane goes down," he said.

Even companies that have information security policies in place often don't align those policies with business realities. For illustration, he described a situation where a sales person might have more incentive (a sales quota) to reveal confidential product information to a potential customer than he would to comply with the company's security policy against divulging such information.

"It would be time and money well spent to go back and see if your information security policy is consistent with your business needs," Cresson Wood said. He didn't offer up any solutions for doing this in the current economic environment other than to point to studies that show a great ROI on implementing good policies.

Synching up the policy with corporate culture is key.

"In too many firms, they're still being policemen," he said. "This will set up a culture of resistance and pushback. You need to foster an environment of shared objectives."

Another problem with security policies today is that companies often have too many. "We need to get rid of a bunch so we can simplify and focus," he said.

As for what Cresson Wood would like to see in security policies is a move toward "parameterized" ones that spell out different security rules for different people or departments within an organization. For example, an eight-character password might do the trick for some employees, but not those with network administration privileges, who might require two-factor authentication.

"One-size-fits-all no longer works," he warned.

Cresson Wood also is a believer in defense-in-depth security strategies that include multiple layers of protection. He said such security policies will be vital for organizations as they are required to comply with more industry and government regulations, including a possible expansion of something like the Sarbanes-Oxley Act to include information security within 10 years.

Follow Bob Brown on Twitter and at the Alpha Doggs network research blog.

This story, "Expert Cites Big Problem with Security Policy Compliance" was originally published by Network World.

How do you compare to your peers? Find out in our 2019 State of the CIO report