Business decision makers want to make things happen efficiently – they understand the relationship between risk and reward, and typically accept a reasonable level of risk in order to achieve a positive outcome. When it comes to cyber security as part of the bigger risk discussion, it’s key for the IT team to give them a realistic understanding of that risk, without making them feel like they have to become experts on security or technology. There will often be a tension between the need to innovate and the need to manage the associated or perceived risk.
Pre-pandemic, many organisations were in a state of constant change as they were executing on their digital transformation (DX) strategies. For some there was a realisation that cyber security in a DX scenario becomes more complex.
Roll on to March 2020 and COVID-19, acting as a catalyst, increased the appetite for and expedited efforts towards DX. Organisations were driven to further leverage digital capabilities to ensure continued operations as they rapidly adapted to changing needs, in many cases using already stretched or limited resources.
In the rush to adapt and change, if the combination of People-Process-Technology (PPT) is not balanced correctly, IT security risks will grow.
Having the appropriate IT policies in place is critical to underpin the success of the PPT framework, and ultimately the DX strategy.
- Policies address the requirement to protect information from disclosure, unauthorised access, loss, corruption and interference. Think “CIA” – Confidentiality, Integrity, Availability when defining information security.
- They help to stop guess work and manage business risk through defined controls that provide a benchmark for audit and corrective action.
- Well written policies provide clear guidance to users, managers and technical people about what is acceptable and minimises room for error.
- Creating new, or refining existing, processes and procedures in a time of change is very important. With IT Policies in place that document the rules or expectations for working with information and systems, the definition of IT processes (what is done and by whom) will be easier. The same applies to IT procedures which prescribe in detail how a process should be undertaken.
- Organisations are collecting increasing amounts of information, and regulatory oversight and penalties for a data breach are growing. Policies allow an organisation to document and communicate its expectations to all employees regarding the collection and protection of data.
- Business continuity issues – the introduction of destructive malware into the IT operational environment (sometimes as a result of human error), has proven to be very costly. Policies to cover this scenario will help ensure the appropriate resources are available to respond to and recover from disruptive incidents when they arise.
Contact Steve Macmillan to discuss how Protocol Policy Systems can help you to lay the foundation for a secure computing environment.
Click below to watch a short video on The Importance of IT Policies.