One of the core services that Keep Secure offers is around the creation and implementation of cyber security policy. Cyber security policy is complex and touches almost every aspect of an organization. In our view, cyber security policy should be thoughtfully created, considering the unique elements of the context of a company and it should align to their goals. Flexible, well-built policy can function as an enabler of an organization, allowing it to go fast and meet new market demands. Unfortunately, companies often see this as a check-box activity that they must do to meet requirements, either that of a company or of a regulation.
In the past, we have lost some of these engagements to automated tooling that purports to supply “built-in” and “pre-made” policy that can be customized using a small set of questions that a customer can easily answer. It is almost disheartening to see companies go down this path, and skirt doing this important cyber security activity properly. For a long time, I struggled to find a way to describe why policy can’t be done in a generic way like this. Recently I came across the term “supervenience” and I thought I’d explore how we can use this concept to better explain the importance of doing cyber security policy properly.
Technically, supervenience is a philosophical concept that describes the interdependence and interconnectedness between various levels or properties of a system. It says that the higher-level properties or features of a system are dependent on the lower-level properties. The strength and effectiveness of higher-level properties rely on the foundational properties, while the context in which a system runs governs what is possible at the lower-level properties. Understanding supervenience allows for an integrated approach in system design, recognizing the importance of reinforcing foundational elements and considering the contextual factors that shape the system.
Think of supervenience as the interconnectedness of different layers in a security system, like the foundation of a sturdy building. Just like a building relies on a solid foundation to support its upper floors, cyber security also depends on a strong foundation to protect higher-level components. The concept of supervenience in cyber security also recognizes the crucial role of the organization’s context in determining the foundational security controls. This means that the interdependence is not only vertical but also extends horizontally across the entire cyber security stack.
The context of an organization, initiative, or project plays a vital role in shaping the foundational security controls that should be put in place. Just as different buildings require different types of foundations based on factors like location, size, and purpose, organizations have unique characteristics that necessitate tailored security measures.
For instance, consider two organizations operating in different industries: a financial institution and a creative agency. The financial institution deals with highly sensitive customer data and must adhere to strict regulatory requirements. In this case, the foundational security controls would likely include robust encryption protocols, secure network segmentation, and stringent access controls to protect customer information and maintain compliance.
On the other hand, the creative agency may prioritize collaboration and flexibility, requiring foundational security measures that facilitate secure file sharing and protect intellectual property. In this case, secure cloud storage, encryption for sensitive design files, and secure remote access controls would be foundational security controls tailored to the organization’s context.
Similarly, the context of a specific project or initiative within an organization may also influence the foundational security controls. For example, a research and development project involving the development of a new technology may require heightened security measures to protect intellectual property and prevent unauthorized access. This could involve implementing secure development practices, access controls for sensitive project data, and strict monitoring of network activity.
When it comes to cyber security policy, a one-size-fits-all approach simply won’t cut it. To establish an effective and relevant policy, it is crucial to understand the unique context of the organization. This includes considering factors such as the industry, size, geographical location, regulatory compliance requirements, risk profile, and technology landscape.
Understanding the organizational environment is paramount. Different industries have varying levels of cyber security risks and regulatory obligations. For example, a financial institution is likely to face higher risks due to the sensitivity of customer financial data, while a healthcare organization must comply with strict regulations surrounding patient privacy. By recognizing the specific risks and compliance requirements of the industry, organizations can tailor their cyber security policy to address these challenges effectively.
Size also matters when it comes to cyber security. Small businesses may have limited resources and expertise, while larger enterprises often have more complex infrastructures and a higher likelihood of being targeted by cyber threats. Tailoring the policy to the organization’s size ensures that the security measures are realistic, scalable, and appropriate for their specific needs.
Geographical location is another factor that influences the cyber security landscape. Different regions may have varying legal and regulatory frameworks, as well as specific threats prevalent in that area. By understanding the regional context, organizations can align their cyber security policy with the local requirements and address the unique challenges they may face.
Compliance with specific regulatory requirements is of utmost importance in many industries. Organizations must ensure that their cyber security policy aligns with these regulations to avoid legal repercussions and protect sensitive data. By understanding and adhering to the specific compliance requirements, organizations can build a policy that meets the necessary standards and safeguards their operations.
Additionally, considering the organization’s risk profile and technology landscape is crucial. Every organization has its own unique risk profile, influenced by factors such as the value of data, potential threats, and the impact of a security breach. By conducting a comprehensive risk assessment, organizations can identify the specific risks they face and tailor their policy to address those risks effectively. Furthermore, understanding the technology landscape allows organizations to align their policy with the existing infrastructure, applications, and systems, ensuring that the security measures are compatible and effective.
By tailoring the cyber security policy to the organizational context, organizations can establish a more relevant and effective security posture. This approach ensures that the policy addresses the specific risks, compliance requirements, and technological landscape of the organization, providing a solid foundation for cyber security. Building on this solid foundation, which is fit for purpose for the organization (or the initiative) enables the organizations to move fast to meet their goals.
I think the core point to leave with is that in a system that can be described in terms of supervenience, upper levels of the system (in our case, organizational context) can work to govern the lower levels (in this case, technical controls). Your technical controls level, however, can constrain what is possible at the organizational level. You need to consider both, almost zig zagging between them, to come up with effective policy that will enable your desired business outcomes.
A generic cyber security policy may seem convenient, but it fails to address the unique needs and risks of organizations. By understanding the concept of supervenience and its role in cyber security policy, organizations can build a strong foundation that aligns with their specific context. This approach ensures a more effective and relevant security posture, protecting organizations from threats, compliance gaps, and potential cyber incidents. By prioritizing foundational security, tailoring the policy to the organizational context, and embracing continuous improvement, organizations can establish a robust cyber security policy that safeguards their digital assets and operations allowing them to meet their goals and, potentially, expand into new areas and market segments.
 
Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.