Policies for cyber security are used throughout various organisations to lay out expectations, commitments and responsibilities. These are used to ensure that those within an organisation understand what is expected of them and the measures they should take in different scenarios. This may outline things such as acceptable internet use, what to do in the case of a security breach, and password management. Some policies may be legally required, and often provide legal protection for the organisation and its employees.
Despite their often legal requirement, demonstrating their necessity, it has been widely suggested that policies are found to be neglected or ignored. A 2019 study by ClubCISO asked senior information security leaders about the effectiveness of policies. 53% of these professionals explained that they believe their policies are ineffective or do not impact day-to-day practices. With such a large proportion of security leaders viewing policies as having little effect on cyber security, there are ways in which this can be improved. Keeping policies clear and concise is key to their effectiveness. By using succinct language, keeping policies jargon-free and making sure that all employees know where to find them, policies can be more beneficial. Ensuring that key and important information is easy to find within these policies will help people utilise them properly. If policies are easy to navigate and understand and are straight to the point, there is more chance that they will be effective and useful for organisations and those within them.
One of the most challenging, but important, elements of policies is that they be realistic and actionable within the context of working practices and culture of the organisation. If employees are not following the cyber security policies of their employer, it could be that the policy is not clear, is not well-communicated, is not well supported (in terms of the systems, tools or training made available to the employee) or it could be that it is asking something impossible of the employee. Sometimes the behaviour of the employee needs to change, and sometimes the policy itself needs to change. For this reason, it is ideal when policies are developed in consultation with the workforce and with an understanding of the organisation and security culture.