While a security policy should be “fairly stalwart and stable” to withstand those threats, some standards and individual procedures written for how to deal with individual threats may have to be updated more frequently as the threat environment changes, Bernard says Julie Bernard, principal in the cyber risk services practice at Deloitte in Charlotte, N.C..
2. Cloud, IoT blockchain and other new technology
Next-generation tools, such as the Internet of Things (IoT) in manufacturing or blockchain in financial services, are driving changes to security policies. “Policy has to keep up with the dynamic environment you’re in,” says Bernard. “If your company is going to cloud, tech people are worried about uptime and security, but what about the policies that go along with it? Can I share information with one of my key vendors through a cloud app? If so, which one? And how do you facilitate that, which gets into standards questions,” Bernard explains.
“You could have a policy of ‘thou shall not share,’ but unless you have the technical ability to block that, people are still going to try to get their work done” and do it anyway, she adds.
3. Changing user behavior
A growing millennial workforce is changing the technology expectations and work behaviors that affect security policies and standards, Schwartz says. “It’s more about ‘if you’re on Facebook at work watching that funny cat video, be careful because it might contain embedded malware,’ or ‘just don’t do it at work,’” he says. “Instead of giving users instructions that are generic about protecting information, you really have to tailor those instructions to the behaviors that we know they’re doing at the office,” such as using smart devices connected to corporate networks or surfing social media on company laptops.
In some organizations, security standards and procedures include equal parts of preventative measures and response measures, including directions for taking action after a breach inevitably happens, Schwartz says.
4. Security fatigue and lax enforcement
Sometimes employees just get tired of following all the rules, Heiser says. Pile on too many “don’ts” over time in the security policy, and security fatigue can start to diminish a policy’s effectiveness. “They’ll just begin tuning it out,” he says.
In response, organizations often lighten up on enforcing policies because of rampant use, such as areas of public and cloud computing. “The majority of organizations are not enforcing the use of SaaS,” Heiser says. “They’re allowing fairly free use of anything that employees can connect to,” which negates having the policy at all.
5. Some policy elements are obsolete
“Organizations typically don’t take a methodical look at their policy elements to see if they’re actually changing what happens,” Heiser says. “If they don’t change what happens, then what’s the point?” He suggests making a spreadsheet of all security policies and grading them on a scale from one to five. “Are they followed or not? If they were followed, would it reduce risk? If either one of those is zero, then the net outcome is probably zero, unless there’s an audit requirement” to include it.
Sign up for CIO Asia eNewsletters.