Information security folks are often the scapegoats in large organizations – they’re the reason why you can’t access this site, or why you can only choose between these two phones, or why your project is being delayed for security review.

But these decisions aren’t made to spite you, nor are they made at random. The drivers behind information security policy decisions are ones that try very hard to balance business needs and risk. Policies and procedures, while not glamorous, are absolutely essential to any large IT-enabled organization.

Why Startups Don’t Have Security Policies

When you’re small, your advantage is being able to move quickly. This speed comes at a risk – it’s easy to get derailed by a competitor (sorry, MySpace) or to have your funding run out before you gain traction (sorry, Bizzy). But even more than that, the basic equation boils down to having nothing to lose. Your company isn’t ripe with physical assets, cash on hand, or other things that would be great fodder for lawsuits.

That’s why it doesn’t matter that you do work from your personal phone, that you store sensitive documents in the cloud, and don’t encrypt anything that you send back and forth on servers you don’t own. Mature organizations simply can’t afford to take risks like this, and the need for policies to limit risk are born.

Beyond Risk Management: Laws and Regulations

In addition to keeping risk of litigation down, policy also helps keep compliance up. Laws and regulations like the Health Insurance Portability and Accountability (HIPAA) and the Sarbanes-Oxley Act place great demands on organizations to control and protect your medical and financial records. The only way to ensure that this is done on a consistent basis, across systems and platforms, while still getting business done is to put policies in place for guidance.

Other types of policies that are widely in use, especially in government systems and by companies who perform government contract work, are the Federal Information Management Security Act of 2002 (FISMA) and the National Institute of Standards (NIST) Special Publication 800-53. These two documents work together to set out standards and accountability measures that transcend particular technologies. By focusing on larger, business-driven issues, the policy can remain relevant across time, projects, and agencies – and is such a well-done set of standards, it is even used outside of the Federal Government.

Project Management

In addition to helping with the day-to-day operational elements, security policy is often baked into Project Management and Development Lifecycles at major IT-enabled organizations. By merging the business needs with the security and technology standards and requirements early in the process, it’s possible to both reduce development times and increase the security posture of a project all at once.

As new projects are initiated, project managers and project teams work hard to identify areas of the business process that will be positively impacted by the project. At the same time, security professionals work to evaluate the potential for risks, vulnerabilities, and mitigation strategies. By coming together at specific times (typically known as “Milestones”) these teams can compare notes about how best to move forward, with both sides of the business in mind. Again, the driver here is that there is something to gain (competitive advantage, increased sales, differentiation, or some other opportunity) and also something to lose (customer data, proprietary information, competitive advantage, etc.)

Why Policy Matters

While the advantages of new technology are often made quite clear by their vendors, industry case studies, and sales people, the potential drawbacks and vulnerabilities are often not as easily identified. By putting security policies and procedures in place that reflect an accurate reality between the advantage of moving swiftly and the benefits of being cautious, organizations can ensure that they retain the core elements while continually moving forward. Well-designed security policies allow for this vision across multiple projects, no matter the technology, and keep the business drivers constantly at the forefront.

It may not be the flashy side of Information Technology, but trust me: policy matters.

Comments or questions? Sound off below! Contact Shay at  or on Twitter @ShayColson.