Mitigate Risk with an Effective Security Policy

Security policies are often written by people who have security expertise but not policy expertise.

Having trouble creating an effective security policy for your organization, but not sure of the best approach to developing one? You’re not alone.

It’s one thing to know how a security environment should be constructed, but translating this into a written set of enforceable rules is a discrete skill. Despite the wealth of resources on writing information security policies, companies still struggle with balancing the right level of guidance, a sufficiently direct style and a risk-based approach.

According to Rob McMillan, research director at Gartner: “If you can’t translate your requirements into effective policy, then you’ve little hope of your requirements being met in an enforceable way. But if you get it right, it will make a big difference in your organization’s ability to reduce risk.”

Your security policy defines and documents your organization’s established position about the security risks that must be controlled to meet the risk appetite of the business, which will ultimately fund security controls and bear any residual risk.

By 2018, 50% of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, up from 5% today. The importance of an effective security policy can’t be ignored.

Rethink the Security & Risk Strategy

Why leaders must embrace modern cybersecurity practices

Download Free eBook

Approach security policy development as a process

It’s a mistake to assume that you can successfully develop policy by having a knowledgeable person compose a document in one sitting in isolation from the rest of the organisation. This will alienate the rest of the organisation and lead to high levels of resistance and counter productivity.

“Successful policy outcomes almost always require a process of consultation and iteration before a final, sustainable policy position is drafted,” says McMillan. “If you can’t defend your process, then you can’t defend your policy.”

Policies also require universal support, otherwise they can be undermined if the stakeholders affected by them have not helped to shape the outcome. Consult with each business unit that is affected by the policy if it’s to be politically and pragmatically viable. Ensure wide-ranging support at the senior management level prior to seeking final approval from the CEO or equivalent position.

A common criticism of policies and standards is that they often can tell people what they cannot do, but rarely tell people what they can do. Test out a number of actual scenarios that staff members are faced with, and determine how the policy supports or inhibits them.

Don’t forget compliance. If you can’t verify compliance, then it’s possible that the policy statement may be unenforceable. You don’t want to be left with a control that is not fully effective in mitigating risks.




Gartner clients can read more in the report ‘Five Golden Rules for Creating Effective Security Policy,’ by Rob McMillan, et al.

Get Smarter

Gartner Security & Risk Management Summits

The latest insights on IT trends, evolving security tech and the ever-changing threat landscape.

Explore Gartner Conferences

Shift From Managing Risk and Security to Enabling Value Creation: SRM Leaders’ New Imperative

The moment has arrived for security and risk management leaders to act decisively to safeguard and support business objectives.

Read Free Gartner Research


Get actionable advice in 60 minutes from the world's most respected experts. Keep pace with the latest issues that impact business.

Start Watching