Writing Cybersecurity Policies: You Don’t Have to be Michael Jordan

Cybersecurity policies are often viewed as the pinnacle of what a mature business represents. They are often created and pushed out during late stage development because of how much time and emphasis must be given to them. This is a fallacy; mainly due to the fact that when you are looking at people, process, and tools, the process comes before tools. You won’t know what tools you need until you outline and agree on a set of processes, which are dictated by policy. In addition to the word policy, there are standards, guidelines, regulations, procedures, controls, control objectives, metrics, influences, risks, and regulations…It’s no wonder smaller shops are completely lost!

In this talk, we will start off by working through the terminology together and then walk through the hierarchy of how they connect. With that out of the way, we can now discuss how you do not have to “Be Like Mike” (Michael Jordan) when writing policy. Too often, we are scared to implement something unless we can perfect it on the first round. Policies are a continual maturation process. Simply getting some basics down counts as a written policy! In this talk, we will go over how you can get started immediately after Blue Team Con, on Monday, with writing your corporate cybersecurity policy.