#21 Align your digital security policy to digital operations

Hello everyone, and welcome to this month’s overview episode of The Power of Digital Policy! Today I want to talk about digital security policy. Because well, security has become such a central point of digital. Or rather, the data breaches and data leaks have become the central point of discussion.

Digital security, cybersecurity, or just security. It doesn’t matter what your program is called, the facts surrounding security remain the same:

• It’s a day-to-day struggle for businesses because of the huge increase in hacks and breached systems, including mobile and IoT devices and only 5% of business portfolios are properly protected
• 71% of breaches are financially motivated, and 25% are motivated by espionage according to Verizon
• Accenture says that 68% of business leaders feel their cybersecurity risks are increasing
• And the University of Maryland informs us that hackers attach every 39 seconds, on average 2,244 times a day.

If you haven’t yet been a victim of a security breach, don’t count your blessings quite yet. It takes, on average, 206 days to detect a breach, so your turn is coming. And by the way, once you do discover the event, it will take some time to clean it up. The average lifecycle of a break from the time the breach occurs to containment is 314 days, according to IBM. Oh, and the average cost of a data breach is $3.9 million, or $150 per stolen record.

Is your head ready to fall off of your shoulders yet? Security isn’t just always-changing; it is challenging as well. Most businesses relegate the risk to the Chief Information Security Officer (or CISO) or somewhere in the pit of IT. But doing so doesn’t do justice to digital security. After all, with cloud solutions and the marketing team managing more of the martech stack every day, security needs to be an all-hands-on-deck activity. In other words, everyone needs to have responsibility for security, even though there might be one person stewarding security and living with the ultimate accountability.

I often am asked who in the organization needs to own digital security and how does that line up with my idea that there ought to be a single “librarian” for all of the digital policy. I certainly believe we should extend legacy roles, such as those of a CISO, into new digital channels such as AI and VR. But a lot of times, CISOs are busy with enterprise security and are not on the front lines of digital development, which is where the digital policy steward can play a critical role. Therefore, a strong partnership between the digital policy steward and other functions, including those of the CISO, need to exist. But remember that even those two roles can’t address security in a vacuum. You also need to have the human resources or training department on board so that employees are receiving the right level of training, and the rest of the digital community needs to either serve as trigger points or as recipients or both, for security policy information.

And since we are talking about security policy information, let me suggest that one of the key problems I see with organizations right now, is the lack of comprehensiveness in creating a digital policy program. Most enterprises create a policy, stick it into the policy library, and mandate employees to take once-a-year online security training. The training comes down to the individual previewing videos and answering a quiz, where if they pass 80%, they get the certificate and move onto business as usual for the next year. This approach is great for compliance but does nothing for your security practices. It doesn’t make you any safer than before the training cycle began. What is my issue with this type of training?

• The training mostly focuses on enterprise security for all employees and omits digital-specific risk.
• Very few employees pay attention to this type of training and see it as a compliance checkbox.
• We still continue to see major enterprise breaches and human errors leading to data leaks, with little adjustment to the underlying training material for the organization.

I think it is a great time to rethink security policy and do it in a much broader context that reflects today’s digital realities. When I work with clients, here are some of the things that I consider in order to get closer to a good baseline policy and practice.

Scope

• ‍What does your digital security policy address? For most enterprises, it is very limited and usually focused on the more traditional channels such as websites or maybe even mobile applications. But what about the development sandbox where the innovation lab is playing with machine learning? What about the Dropbox account your vendor uses to store the creative brief your marketing team sent over for the Q4 campaign plan? Or what about Sally’s GoogleSheet file she created while working remotely from home last week and needing to review new webinar signups?
• The scope of what your digital security policy should cover always ought to be broader, rather than narrowed. And don’t assume that “enterprise IT” or your CISO has it covered. Ask, because oftentimes, they don’t know what is happening in the dark corners of the digital marketing or operations team. Circumstances arise every day, and this is a great opportunity for the digital policy steward to have his or her ear to the ground and keep things legit as far as the policy goes.

‍Measurement and violations

‍Nobody ever seems to want to discuss the measurement of digital policy. I realize it is the spinach of the policy world, and everyone wants to eat it last. But like spinach, measuring digital security policy is healthy and good for you. So, try making your measurements easy to swallow. I recently did a fun experiment with a client, where we unveiled a pilot way to educate digital workers around security policy. Rather than having those “next-next-next click” training modules, we integrated security tips of the day throughout the digital world. Think your content management system welcome screen, a GitHub tip of the week reminder in the Slack channel, and impromptu free ice cream giveaways for workers sharing their tip or good security practice. We were able to measure security message penetration into the digital workforce. Did it prove useful? It did from a knowledge perspective. We haven’t seen as many violations of security, but it is early and hard to prove a negative. But the initial feedback from employees has been that they are having fun with the new model, it is not disrupting their work patterns, and they are learning more about security. How’s that for spinach?

‍Roles and responsibilities for triggers, reviews, and updates

• When you are documenting your digital security policy, make sure that you name the roles and responsibilities that go with it. Often times, we like to see this document as part of the broader digital governance framework. Conceptually that works well and is necessary, but when you break down governance into operations, you need to become specific. Documenting roles and responsibilities at the operational level into your policy will do you a world of good. I’ve learned this through lots and lots of practice.
• If there is any internal protocol around sign-off, make sure that you capture that as well. I also like to ensure that we document the responsibilities around who and what triggers will cause us to review the policy. This is a crucial aspect of security policy and needs to be documented, rather than committed to the mind or practice of one individual, such as the steward. The steward can own the action but still document the details.
• In terms of triggers, think broadly about the type of triggers you might encounter that will cause updates to the security policy. If you need a hand getting started, head over to my blog. I’ve given everyone a head start in a four-part series of triggers that ought to be at the top of your list of updating policies.

‍Protection and breach detection

• This is a common area of policy consideration, so that I won’t delve into all of the fine details. But as part of your security policy, you ought to address inventories, how do you add components to the portfolio (such as AI or virtual reality), approved deviations, access controls at the macro level like channel and micro at the account or read data level, and software licensing restrictions.
• The most overlooked aspect of the policy when it comes to protection and breach detection are third parties, such as vendors and processors. Make sure that you carefully consider these entities and include them in the focus of your policy.

‍Contingency planning and business continuity

‍Most everyone thinks of contingency plans and backups as a separate policy. They are, but they are often triggered by a security event or the need to respond to a security event. So when you are pulling together your policy, make sure that the practical practice areas consider this intersection and that the security policy addresses or points back to the contingency planning and business continuity.

‍Cloud management

• Here is a big area of security policy concern that is often overlooked by enterprise practices. Cloud management needs to be its own policy, but cloud management from a security architecture perspective is critical for the security policy.
• Also consider access management, multi-tenant environments (and whether you will allow them), virtual machines, data handling and portability, data localization management (especially if you are a multinational or operate across geographical borders), and sensitive data and cloud storage.
• There is so much to explore and discuss in this arena and I don’t see enough enterprises delving into this as it seems complex and overwhelming. You need to start the conversation!

‍Other considerations

• If you have another five hours, I can go into additional details on security policy, but we don’t have that much time today. Let me give you a quick checklist of what to think about:
• 3rd party vendor access management. I can’t say enough about this and how many times consultants gain access to systems only to have that access continue for many years to come. Make sure you understand who has what type of access and when, and whether they have been vetted and continue to need access to your digital channels.
• Regulatory and legal compliance is always forefront in my mind. Remember that a lot of the new data privacy regulations have security aspects to them. GDPR and CCPA are front and center of everyone’s mind right now. But there are others, such as POPIA and LGDP, to which you should be paying attention.
• Maintenance operations are an obvious area of security policy to address. Security is never a “one and done” policy topic, and you can’t put it on autopilot as you can with accessibility policy or another more stable area of practice. Think through how you will make security a living practice.
• Contractual performance needs to have a security aspect to it and given how many data leaks and breaches occur as a result of contracts with other parties, get this area of your reviewed and the policy shored up.
• And then there is insurance. You can have a great policy but still, have some risk exposure. So how do you want to address that? Accept it? Insure against it? Whether you decide to pursue insurance or not, every organization (and every gig worker for that matter!) needs to at least understand what it is and whether it is relevant to its digital operations.

Make no mistake; I am not a security expert, which is why I partner with those who are and can bring the security subject matter expertise to the policy development discussion. And one of the key voices that every organization needs to consider is that of a cyber insurance expert. Insurance is one of the most overlooked areas of policy, and yet it can bring tremendous benefits and comfort to the organization.

This month, as part of the digital policy security discussion, I’ve invited Courtney Hensley to the podcast. Courtney will tell us why insurance needs to be considered for every business, how little it actually costs, and what aspects of insurance you should be thinking about (and telling your C-suite about!) in order to help the business properly balance the risks and opportunities of digital. Join me next week as we learn all about the digital insurance realm.

Until next time.