Skip to main content

‘Security by conformity’ does not exist

By 28 February 2020 November 16th, 2020 Blog

‘Policy is the adoption of objectives, resources, and a time path in mutual conjunction. Place and time are, preferably, described. Hence, policy is understood as making the direction and the resources available with which the imposed organisational objectives should be realised within the imposed period of time.’ Source: Wikipedia 


“Life is what happens to us while we are making other plans.” – Allen Saunders, Reader’s Digest, January 1957

One of the tasks of a CISO is to raise the organisation to an increased level of security.

In that case, often plans are made, vendors are checked, and procedures are devised. And then this is followed by policy. And once this policy has been implemented, the organisation is obviously more secure. That could well be. However, often policy is not implemented entirely. Simply because it is qualified as the law, which would then have a too restrictive effect on the day-to-day operations of an organisation.

As a consequence, it can head into two directions:

– The CISO / the Security Office becomes the bottleneck where the rest of the business has been scaled properly and has been optimised to run as smoothly and productively as possible. Tremendous backlogs of exceptions cripple the business.

– The employees become creative and start running a shadow business that is completely separate from all security measures.

Of course, neither side can be the intention of a security policy. Yet many security professionals make the mistake of first modelling “their world” and then trying to press reality into it. Or they create a fantastic target picture, prepare an inventory of the present situation, and set up a project that attains the said target picture in a year’s time. And then the world has long changed, the attackers have become more intelligent, or the attack vectors or risks identified at the time have long been abandoned in favour of new tricks, techniques, and practices.

The following points can contribute to make the business more secure, because that is the ultimate objective of a CISO / Security Office:

– The people with whom you work were mostly selected on a specific skill or mindset that is, perhaps, not in line with that of a security specialist. Show an understanding for their discipline. Become them. Then check how you can perform these activities, without being too restrictive, but then in a more secure manner. Make sure that you do not cause “two steps back” with your “one step forward”.

– Work on habits instead of books filled with policies. Not everybody enjoys being able to recite the conjugation of “must”, “shall”, and “will”. Celebrate small successes with your employees.

– Do not say ‘no’. Always say ‘no, but if you ….’. Again, the employees on the work floor do not have the same (complete) overview that you have. Assist them with a hint into the right direction. Eventually, they will then also make more of an effort to conform to what you want.

– Explain that it may very well be that someone often does things right “intuitively”, but that policies and work instructions are meant to increase the chance that the right thing is done. Often, assumptions are made (because that is how people work intrinsically) and they are, very often, right as a result of which the risk arises that someone is afraid of a conflict between his / her implicit knowledge and the highly explicit knowledge in a policy. Hence, make sure that the insight is created that the two are not mutually exclusive.

– Talk to people. Make sure that you know when a policy is not supported. Then check how you can realise the original objective via a different road.

And finally, again, the organisational objectives are important. The policy is only a tool. But a good tradesman does not only own a hammer. A good tradesman has a toolbox with the right tools for every task.