Confessions of a Security Policy Geek

Why I Love Information Security Policies

Being a vendor of information security policy content is somewhat strange. Many times during the week we talk to folks who need to write security policies for their company. The story is often the same: They are staring at the long list of requirements (say from the ISO 27002 outline) and a blank screen of MS-Word and saying “How do I even begin.”

While most of our customers have different business requirements, they all basically want the same thing – to have us help them reduce the pain of developing security policies. Like the proverbial physician, our response cannot be simply “buy Information Security Policies Made Easy and call the auditor in the morning.” People are searching for more than a content pill, they are searching for guidance. They want a solution. This is one of the reasons we created our professional services team and our growing list of whitepapers and tools. Since this is all we do – day in and day out – we can actually make the pain go away. There is rarely a situation that we haven’t seen before.

But there is something else. What would make one person love doing something that most people loath doing? Doing this for many years, I have found that there is a certain subset of people who really enjoy writing policies. You can call them “policy geeks” if you want. I am certainly one of them. But why? After a brief transactional-analysis conducted between my Id and Super Ego, here is what I came up with.

  1. I like to write – I guess this is obvious, but most policy geeks also like to write. During my college years, I actually minored in Creative Writing. (Yes, they do have humanities courses at MIT.) Many people who do this for a living also publish books and papers and otherwise like to share their ideas. Take for instance, my policy “mentor” Charles Cresson Wood. Charles is a prolific writer and has literally hundreds of published articles spanning nearly three decades.
  2. I like the chase – Security is an endless cat-and-mouse game. As soon as we feel like we have every single control you could imagine, a new threat or a new technology comes along and shows us that we still have holes. How else could our PolicyShield Subscription have over 2000 policy statements and have room for more?
  3. I like keeping people safe – When I was in 5th grade I was one of those crossing guards with the orange vest and badge. Like many security folks, I have always been drawn to the idea of keeping people safe – especially from themselves. I also don’t like bad guys. It really gets me ticked that high-school kids in Russia are able to exploit technology to take advantage of Grandma’s and churches half way across the world.
  4. I like when people and technology collide – I have always been interested in the “people” side of information security. Many security folks are continually amazed at the overall lack of emphasis placed on people, even though they are involved in some way in every incident. Written security policies are the “glue” that integrates the rest of the technical and management security with the people who actually have to do the work.

So there you have it. You roll all of these together and you get a person who actually loves the challenge of creating detailed words that help address very detailed problems. I like to think that is why people are happy when they buy our products. They have been created by folks who really love doing this work. Any time you can have someone who loves what they do take over a bit of work from another person who considers it a chore; we are heading in the right direction.