Security is a top priority at the Bank of Labor, but the financial institution updates its formal information security policy only once a year, maybe twice, regardless of what's happening in the ever-changing threat landscape.
That's not to say that the union bank ignores emerging threats such as new malware variants or phishing schemes, says Shaun Miller, the bank's information security officer. On the contrary, the organization, which has seven branches in the Kansas City, Kan., area plus an office in Washington, routinely tweaks its firewalls and intrusion-protection systems in response to new and active threats. To avoid fatiguing its 120 users, however, it refrains from formalizing new policies more frequently.
"The purpose of our policies is to be at a high level, not to cover every eventuality out there," says Miller. "We update procedures for tactical day-to-day stuff, but when it comes to our strategic direction on security going forward, we change our policies in a limited fashion so as to not overwhelm users."
The Bank of Labor isn't alone. Given how fast the threat landscape changes, it can be difficult for a company to modify something as rigid as a corporate security model to keep pace with every new attack vector. In a recent survey of 287 U.S.-based IT and business professionals conducted by Computerworld, CIO and CSO, 33% of the respondents said that they work for organizations that have had the same model for information security management in place for five or more years. Meanwhile, 23% said their model had been in place for three to five years, 33% said one to three years, and just 11% said less than a year.
However, 50% of those polled said their organizations are considering making changes to their infosec management models. When members of that group were asked what factors are driving their employers to contemplate a change, the top three responses were concerns about breaches and data loss (cited by 78% of the 144 respondents), technology advancements and upgrades (53%), and regulatory compliance (49%).
How often to adopt infosec policy changes is a conundrum. Companies need to come up with a way to remain flexible, to ensure that their policies and procedures reflect the current threat landscape, yet they can't hand down so many new rules and restrictions that they frustrate users and inadvertently compel them to consider bypassing corporate rules, explains Kelley Mak, an analyst at Forrester Research.
At the same time, companies have to strike a balance between using firefighting tactics to address the most current threats and treating information security policy as a holistic strategy, Mak says. "It's not as simple as taking the data and making a new policy, because you have to make sure information workers aren't upset," he says. "The more restrictions you put in place, the more likely someone is to go around it."
That's exactly what Miller is trying to avoid. The Bank of Labor maintains an information security policy that addresses high-level issues, including the bank's overall stance on security and broad rules, such as a mandate requiring employees to use passwords to access data. The policies, which are put in place only after board approval, don't get into the weeds of the technology or spell out details such as the exact character requirements for passwords (which might change over time, anyway).
To complement the broad policies, Miller's group regularly modifies rules to tackle current security gaps. Most recently, the security team blocked the use of Flash software because of its well-publicized vulnerabilities, and because it's rarely used in business-related websites anymore. "We don't consider that a change to policy," Miller says. "Our board of directors approves policy, and they don't know what Flash is or what it does. It's just an example of a simple, day-to-day business response to threats as needed.