Strengthen your cybersecurity management policy with the human firewall

The need for cybersecurity is growing with the dynamic, distributed, disrupted, and particularly digital nature of business. Digital transformation is making cybersecurity even more critical to protect the organization, maintain resilience, and compete in today’s chaotic and digital business environment. The threats to business come from all angles and include the malicious, but also the ignorant and inadvertent.  

The challenge to protect the organization and its cyber assets and processes is even more challenging when one considers the extended enterprise of third-party relationships that are critical to the cyber and digital operations of the business: vendors, outsourcers, service providers, consultants, contractors, and more.  

We all know that firewalls are critical to cybersecurity. The network firewall has been the bastion of corporate protection from the deviant and malicious for forty years. Then there are application firewalls and personal firewalls. Firewalls are critical to the organization to protect it from hackers, viruses, and worms (oh my!). But what is often overlooked is the most critical firewall in the organization: The human firewall.  

How does better policy management bolster cybersecurity? 

The weakest area of any cybersecurity strategy is humans. Humans make mistakes, they do dumb things, they can be negligent, and they can also be malicious. In the technical world we can lock things down and the world operates in binary. In the world of human interaction, it is not binary but shades of grey. Nurturing corporate cybersecurity culture and behavior is absolutely critical.  

The human firewall is the greatest protection of the organization. At the end of the day, people make decisions, initiate transactions, and they have access to data and processes. Individuals need to know what is expected and their role in cybersecurity. The human firewall is all about policy management and engagement.  

Should my business invest in building policies? 

A decade ago, I was involved with The Institute of Risk Management in London in developing Risk Culture: Resources for Practitioners. In this guidance, there is the A-B-C model:

A: The Attitudes of individuals shapes the…
B: Behavior of these individuals and the organizations overall which in turn forms the…
C: Culture of the organization.  

And that culture, in turn, has a symbiotic effect further influencing attitudes and behavior.  

Culture is one of the organization’s greatest assets. It can spiral out of control and become corrupt quickly but can take years, or even decades, to nurture and build in the right direction. The human firewall is the greatest bastion/guardian of the integrity of the organization and its cybersecurity culture, as well as its broader governance, risk management, and compliance culture.  

IT and security teams are successful because of their policy management programs and building trust around those foundations. Find out more in this eBook. 

It is critical that organizations invest in the human firewall, and that means investing in policy management and engagement. Organizations need to ensure they have the right cybersecurity policies that are clearly written and relevant. But they also need the right policy portal and engagement on cybersecurity policies as that is what builds the foundation for educating individuals and developing a strong cybersecurity culture.  

Why policy management matters to strengthen the human firewall 

Every organization needs a human firewall. So, what is a human firewall? What is it composed of? The following are essential elements: 

• Policy Management: Policies govern the organization, address risk and uncertainty, and provide the boundaries of conduct for the organization to act with integrity. The organization needs well-written cybersecurity policies that are easy to understand and apply to the context that they govern. They should be in a consistent writing style, maintained and monitored. It is absolutely essential that policies be well-designed, well-written, consistent, maintained, and monitored as they provide the foundation for the human firewall. 
• Policy Engagement: Well-written and maintained cybersecurity policies are not enough, they also need to be communicated and engaged with the workforce. It does the organization no good, and can actually be a legal liability, to have policies that establish conduct that is not communicated and engaged to the workforce. All cybersecurity policies should be in a common policy portal so they can be easily accessed and should have a regular communication and engagement plan.  
• Training: The next part of the human firewall is training. Individuals need training on cybersecurity policies and procedures on what proper and improper conduct is in the organization’s digital processes, transactions, and interactions. Training applies policies to real-world context and aids understanding which strengthens the human firewall. 
• Issue Reporting: Things will go wrong. Bad decisions will be made, inadvertent mistakes will happen, and the malicious insider or hacker will do something wrong. Part of the human firewall is providing mechanisms such as hotlines, whistle-blower systems, management reports, and other mechanisms of issue reporting for the employees in the front-office and back-office to report where cybersecurity is breaking down or going wrong before they become big issues for the organization.  
• Extended Enterprise: The modern organization is not defined by brick-and-mortar walls and traditional employees. The modern organization is an extended web of relationships: suppliers, vendors, outsourcers, service providers, consultants, temporary workers, contractors, and more. You walk down the halls of an organization and half the people you walk by, the insiders, are no longer employees. They are third parties. The human firewall also has to extend across these individuals that are a core part of the organization’s digital processes. Policies, training, and issue reporting should encompass the web of third-party relationships that shape and form today’s organization.  

Cybersecurity is the responsibility of everyone in the business. InfoSec and policy management teams can safeguard the business’s crown jewels through effective policy management and engagement to build a culture of strong cybersecurity and in turn build the best protection the organization can offer in a human firewall. 

Learn more about effective policy management with OneTrust by requesting a demo. 

About the Author
Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) — with specific expertise on the topics of enterprise GRC, GRC technology, corporate compliance, and policy management.  Prior to founding GRC 20/20 Research, Michael was a Vice President and  Top Analyst at Forrester Research, Inc. Before Forrester, he led the risk/compliance consulting practice at a professional services firm, and prior to that has specific experience managing compliance and risk within commercial organizations.