Misinterpreted policy?

A couple of months ago I was home ill from work and frankly a little bored.

While idly reading my twitter feed I reflected on a challenge I had been facing at work; a very technology-focused, agile, team that seemed to move faster than the security team could handle. I had some time ago realised that short of a herculean hiring effort we needed a combination of automation, delegation and good engagement to achieve the security outcomes we desired.

At about the same time as addressing that challenge I had also been involved in the production of updated acceptable use policy to meet some PCI DSS requirements which had been a lightly bruising affair. The business is a startup culture where freedom and good sense are valued much more highly than rules. The noticeably positive culture of the organisation was rooted in this and as a result the managers resisted the imposition of new rules. It was also the case that the staff cried out for information and knowledge so they could make their own minds up about security, they wanted security awareness training as long as it explained why security mattered and how it worked.

The combination of a fast moving technology team, the startup culture and the positive results of just good security communications and engagement was that a written policy seemed anachronistic and almost fossilised.

I posted the following provocative, somewhat tongue in cheek, but honest question:

Questioning security policies

This started a twitter conversation with a number of security professionals. I enjoyed the conversation but I found it frustrating, I was trying to get to bottom of the real value of security policies but the conversation didn’t really address that and seemed to focus more on the format of successful security policies. It was a fun conversation to have while at home without the distraction of work but in hindsight I forgot two truths of the Internet:

  1. A conversation on the Internet is a public thing.
  2. Written text on a screen is interpreted without any other context

I did realise after a while that the conversation was getting a little out of control so I summarised my exit with:

Agree to disagree


The conversation didn’t descend into one of those Internet shaming episodes (thankfully) but I was surprised to receive a ‘storified’ version of the conversation (Here if you would like to read it).

It turns out there was an answer to my original question that makes sense to me that came out of the Storify comments by Rowenna Fielding: “If there is no written policy then how can risk decisions be made consistently and in line with the organisation’s risk appetite?”. That makes sense to me and is a foundation you can build upon with a focus on driving consistency in security risk decision making.

I thought that was the end of it, an interesting if somewhat frustrating conversation in a medium that probably doesn’t lend itself to these sorts of philosophy of security debates. I was wrong. A month and a half later this conversation spawned two guest blog posts on the Tripwire blog; Security Policies – To Be Or Not To Be Pointless… and Corporate Security Policies: Their Effect on Security, and the Real Reason to Have Them. I’ve subsequently been asked my opinions on these blogs hence this blog.

Reviewing these blogs I think I was not good at communicating my question and was misinterpreted. Given the consistency of the misinterpretation I must assume it was my fault.

To quote from the Storify comments “I wasn’t quite sure whether this gentleman was actually advocating for the abolition of the written policy” in response to my original question – I wouldn’t say I went as far as advocating (Advocate: A person who publicly supports or recommends a particular cause or policy) as much as questioning. I think Storify is a fascinating mechanism for seeing how someone else interprets your words but it does feel like a one-sided conversation, kudos to the author for taking the time and effort to produce it though.

To respond to the first blog post by Sarah Clarke Security Policies – To Be Or Not To Be Pointless… “Phil’s core and continuing assertion was that good tech, awareness and risk management negated the need for any written security policies.” – Again I wouldn’t say I asserted that they negated the need but I wasn’t (during the conversation at least) convinced of their inherent value as a format and/or mechanism for achieving the outcomes that are somewhat foggily assigned to them. I think this blog post reiterates much of the valuable accepted wisdom about policies among practitioners who want to do more than tick the security compliance box on their management checklist.

To respond to the second blog post by Claus Cramon Houmann  Corporate Security Policies: Their Effect on Security, and the Real Reason to Have Them “The discussion was started by a person critically stating that as far as he was concerned, they have no value at all.”- Um Actually no, that is wrong. I started by questioning their value and ended up by saying I hadn’t been convinced of their value. I really hope I didn’t appear as arrogant as that quote from this blog post suggests. I think this blog lists a pragmatic selection of reasons to have security policies but skips what is for me the key reason, risk communication.

I fundamentally believe that helping and nudging staff to make ‘better’ risk decisions on behalf of the company is the ultimate aspiration of a security team who cannot be there looking over their shoulders, telling them what the security team thinks they should do. Security is ultimately a people issue and we cannot effectively manage it primarily through technology. Good risk communication is about helping staff make ‘better’ decisions, decisions whose risk outcome is more favourable to the organisation. Bad risk decisions (unfavourable in outcome to the organisation) will efficiently route around all the technology controls you deploy.

I thoroughly recommend people read these blogs and I commend their authors for writing on policy as it is an area where many untested historical assumptions lie. I think questioning the orthodoxy that has been built around the security ‘profession’ is important, I also think we should start measuring the effectiveness of policy as a method for communicating risk appetites and driving consistency in decision making. The hypothesis is that a security policy increases the consistent risk decision making within the organisations stated risk appetite compared to an organisation without policy, now that would be a *very* interesting and important study to conduct.

The conversation was interesting, fun, a little frustrating and in hindsight much too easy to be misinterpreted. I wonder if those are some of the key characteristics of Twitter itself.