The definition of operational success may vary from one organization to another. Governments may view stakeholder success differently from private industry. However, all kinds of organizations have a common concern: Is there a cost involved? Cost can be measured by either the cost of deploying policies or the cost of not having the policy in place. The cost of lacking a policy is often measured in terms of fines and legal expenses.

An effective way of expressing cost is through risk. By spending X, you can reduce Y amount of risk. For example, it would be reasonable to spend $50,000 to reduce a high risk of getting a $500,000 fine. This also allows for change in a controlled manner. It ensures that only policies that add true value are adopted. A good policy includes support for incident handling. Containing an incident can help reduce an exposure time to the organization. Identification of the reason for the incident can begin immediately and attackers potentially determined. A solution is more forthcoming, allowing the resource to be made available in a shorter amount of time. As most business folks will tell you, “Time is money.”

By controlling costs and focusing on the most important risks, an organization can eliminate waste and support operational success. The key risks to the organization are reduced over time through continuous improvement achieved in part by having a good postincident handling process.

When an organization lacks policies, its operations become less predictable. Individuals will operate based on what they think is a good idea at the time. Imagine a rowing team without direction. Everyone has an oar and tries to arrive at a destination and avoid obstacles along the way. Even if you managed to arrive, think of the waste of going in circles as one side of the boat rows faster and with more urgency than the other. This assumes you can get the team to row at the same time. It’s no different with policies. Policies allow an organization to row in the same direction applying the same rules, priorities, and business goals across the teams.

Here are a few challenges you can expect without policies:

• Higher costs—Due to wasted efforts and a lot of rework
• Customer dissatisfaction—Unable to produce quality because individuals make their own judgment as to what is right or good
• Lack of regulatory compliance—Individuals decide when and how to follow legal mandates

The result may well be legal action amounting to fines and loss of business. Depending on the industry, regulators may have the authority to close a business.

Let’s look at a typical credit card breach. Assume a hacker gains access to data for 1 million credit cards. Additionally, assume the hacker accesses personal information such as Social Security numbers. Also, assume the company was out of compliance with industry norms in protecting its systems. The lack of security policies and resulting lack of methodical ways to manage risks allow vulnerabilities to these systems to go undetected. This could lead to lawsuits by customers and shareholders.

If security policies are to ensure information is properly protected, failing to implement policies leaves information vulnerable. The information may be vulnerable to an attack or mishandling. Some employers say, “Our employees are the smartest in their fields,” or, “We’ve been operating like that for years without a single problem (knock on wood).” These are also responses to the question, “Why implement policies?”

The dangers of not implementing policies are unexpected and undesirable outcomes. In the event of an ISS incident, employees will not know what to do, how to react, or whom to notify. This will lead to general confusion. As they’re trying to figure out the answers to those questions, an attacker may be copying more information from the system.

Good security policies include creating awareness of security’s benefits. This includes benefits to the employee. When good policies are implemented, they protect both customer and employee. With good policies in place, even if there is a data breach, the damage may be limited.

Similar to not implementing policies is implementing the wrong policies. You should create policies to address the proper processes, or detrimental consequences can occur. For example, consider a policy that states all employees should be granted administrator privileges to a system. Under this policy, the basic tenets of information assurance cannot be guaranteed. Users will have access to all information, which is probably not intended, nor is it a best security practice. Security policy is often a family of policies, so be sure they do not conflict with one another. In the event of a data breach, all employees with access immediately become suspect. This can often delay investigations.