Every IT department knows it needs to have a solid set of policies and procedures to govern their technology stack. Yet, recognizing the need for good governance is very different than investing in the steps necessary to enact it. The fact is that IT teams of any size often get sidetracked with projects or maintenance that has a direct impact on the organization’s everyday operations, pushing off reviewing their organization’s Policy and Procedure binder until they’re confronted with an upcoming annual renewal for cyber liability coverage, compliance audit, vendor security questionnaire, or even worse, a cybersecurity threat.
According to the SANS Institute’s State of Cloud Security, 84% of cybersecurity compliance risks can be prevented if organizations adopted and improved their security governance, but what does that actually entail for everyday businesses?
Governance Documents: The Plan Often Glossed Over
Policies and procedures are the documents that govern your organization’s effective use of technology. They provide the guardrails for your employees on password requirements, how information should be secured, what kinds of security protocols they have to employ, what AI tools are authorized to process company data, and more. These documents need to be detailed and granular, covering the most mundane aspects of technology usage to be effective, because if you don’t spell out what bring your own device policies are in place, what constitutes “acceptable use” for your organization’s technology, or how devices and accounts need to be secured, then you are increasing the chances for a cybersecurity incident or data breach.
In addition to providing guidance on how exactly your team should be using IT resources, governance documents should include plans for how to respond when a breach occurs. While it’s idealistic to think that your organization won’t ever suffer a breach, the reality is that every business will have to deal with a cyber incident if given enough of a time horizon, and that’s why there needs to be a plan in place.
However, it’s not enough to simply have the documents written up; they should be regularly reviewed and updated to stay ahead of cyber threats, changes in systems or technology, and industry specific best-practice recommendations.
How Often Should I Review My It Governance Documents?
It would be easy to provide an arbitrary number for how often you should review your IT governance documents, but the reality is that there is no hard and fast rule that could be given as “ideal.” Having a regular review schedule is a great first step because it offers your organization a baseline of protection by creating a benchmark for when updates will take place, but it’s critical to also pay attention to new developments within the industry.
IT governance documents need to be updated whenever there’s a substantial change in what kinds of threats an organization may face. Whenever governance documents reference an obsolete technology, that presents an incredibly high risk to your organization’s security posture, because it means that your documents no longer reflect the realities of what could be happening when a security incident occurs. With technology changing rapidly, it’s even more critical that your organization ensures it stays on top of your governance documents so there’s a clear plan to follow in the event of a cyber attack.
I Have Governance Documents, but No One Follows Them
Business leaders of every stripe will often develop IT governance documents at some point in their organization’s existence. Having documents is better than not having them, but they don’t do much for anyone if no one follows them.
Ensuring compliance with your organization’s IT governance documents can require research to diagnose the cause of, because there are many circumstances that can lead to noncompliance. It may be that the team isn’t aware of them, that there’s no enforcement system in place, or it could even be the word choice that’s used.
Governance documents need to be black and white if they’re going to be effective, but there are far too many companies that use phrases that imply a policy is a suggestion more than a requirement. Plus, if the documents look like they aren’t written by the same hand – whether that’s because of font or formatting – employees are going to be less likely to comply because they’ll perceive those policies and procedures as less prescriptive than they may be required. It is also important that your organization creates a culture that embraces compliance requirements, and this begins at the leadership level. If your CEO does not comply with policies and procedures, why should the rest of your staff?
Design Your Organization Around Security
Too many businesses try to bolt on security measures to their organization once it’s up and running in the mistaken belief that they aren’t at risk. However, what many come to realize is that approaching cyber security with a reactive mindset is exposing your organization to an increased risk of cyber attack.. Security is a fundamental process that needs to be at the heart of your organization if you want it to be effective in protecting the data of your organization and its customers.
If you’re looking for other ways to boost your cybersecurity posture, it’s worth checking out a recent blog on our website covering cybersecurity basics.
Mike is a Consultant with nearly two decades of experience as a digital disruptor within the technology space. He has worked with non-profit, for-profit, and educational institutions.
