It can be easy for policy to become a de facto standard continuing long after the justification for having it in place is no longer there. Additionally, as time goes on, the policy becomes more and more ingrained into the consious of those who follow it that soon nobody questions why any more and new people exposed to the policy are consequently dissuaded from questioning it. This issue is illustrated well by the story of the monkeys in the cage. I like to use this story and I don't know where it originated, so I can't take any credit for it myself. It goes something like this:
There is a cage containing five monkeys. It is a tall cage with a bunch of bananas hanging from the top of the cage out of reach. A ladder in the cage would allow the monkeys to climb up and enjoy the bountiful fruit above. Unsurprisingly, very quickly one of the monkeys starts to climb the ladder to get the bananas and ALL the monkeys get sprayed with ice cold water. The monkey on the ladder quickly retreats and the water stops. Shortly afterwards a second monkey starts up the ladder and all the monkeys get sprayed again and he comes back down empty handed. By the time a third monkey starts up the ladder, the other monkeys pull him down to avoid the ice water spray. Soon none of the monkeys are trying to climb up the ladder as they know what will happen.
One of the monkeys is then replaced by a new monkey who has not witnessed anything that happened to the other monkeys and understandably soon starts up the ladder to get the bananas. Immediately the other monkeys, keen to stay dry, roughly pull him down and implement some physical persuasion to make sure he doesn't try it again. The monkey gets the message and does not try to go up the ladder again. Another of the original monkeys is once again replaced and once again starts to make his way up the ladder. All the other monkeys inflict a beating on the new monkey including, cruicially, the previous new monkey who simply accepts that this is what happens when someone tries to get up the ladder. Perhaps this is something he does to feel part of a new group, whilst not wanting to challenge the status quo without knowing the background and making up for his previous error of judgement in climbing up the ladder himself. When a third original monkey is replaced, the process continues in exactly the same way.
Ultimately all the original monkeys have been replaced and none of the monkeys have ever been sprayed with water. However, none of the new monkeys try to climb the ladder and none of them know why. All they know is "it's just the way we do things around here".
The story illustrates the down-side of policies which are not reviewed with any regularity. I know how easy it can be to let policies stagnate, typically a cost of other business priorities and requirements taking precedent.
The main problem with failing to review and update policies is that your security controls may no longer be applicable to the risks that you face. If you review policies by just reading through the policy to see if anything needs to change, then you're most likely to just say "that sounds about right" and perhaps just change any outdated terminology. This is a false review as it won't address any changes in risk. By reviewing policies from the perspective of a risk assessment done at regular intervals (e.g. after any significant change or incident and at least annually) then you can consider the assets you are trying to protect, the threats against them and therefore the controls that are required to protect them. These new required controls can then be compared to the policy and any gaps reviewed and more appropriate controls applied.
Awareness is another key factor here. By the time all the monkeys have been replaced, the banana acquisition policy may have been updated to remove that crucial ice-cold soaking element. However, if this isn't communicated effectively to the monkeys then they will continue in the belief that the previous policy is still in force, not only depriving themselves of the fruit but continuing to needlessly inflict violence on anyone who tries to climb the ladder.
Another issue with out of date policies is also related to the beating that those poor new monkeys had to take after trying to get up the ladder. The policy was in place, nobody could justify the controls, and questioning or challenging the policy was actively discouraged. Unfortunately this ultimately gives security a bad name and the security department are seen as the bad guys who actively inhibit new ideas and growth. This is converse to the desired stance of security as an enabler to the business, which is how the security plan gets management buy-in, support and of course... funding!
So avoid ineffective controls and a bad reputation by reviewing and updating policies regularly, based on the output of risk assessments and communicating the changes effectively to those concerned. Then nobody needs to get covered with ice cold water, staff can challenge and ask questions without fear of retribution and the business can have all the bananas it can eat.
No comments:
Post a Comment