Building A Corporate Cyber Security Policy

In Part 1 of our series on creating a robust cyber security policy, we looked at issues such as employee training, cyber security priorities and focus, monitoring and updating and so on. Today, we look at a list of 8 questions that every company should be asking about its cyber security policy to ensure its robustness.

Is the cyber security policy aligned with the business strategy?

A lot of companies treat cyber security as solely within the IT Department’s remit.  This can result in situations where the cyber security will lag behind plans being made and executed by the business divisions leading to security policies always being out of sync and playing catch up rather than being integral to planning.

What’s the level of importance that board members or senior executives place on cyber security?

Is it something that is discussed in Board meetings? Is it something that forms part of the Key Performance Indicators of the Business Units? Because it should be. The KPIs should not only track revenue but risks as well and this includes things like regulatory lapses or digital security breaches and so on.

What does the future digital footprint of the company look like?

Businesses and individuals are increasingly relying more on third-party vendors, sometimes without even realising it. Every time we use a web-based service like an online accounting tool or even Google Docs, we are sending our information to a third party. There is nothing wrong with this at all, but such external dependencies should form a part of the overall cyber security policy.

Does functionality trump security?

Are we willing to compromise on security if it is creating a functional bottleneck?

Are the policies being applied universally?

More often than not security breaches are not a result of an inadequate policy, but rather that the policy was not actually implemented fully. For example, a policy might call for user access to certain applications be restricted to just business heads, but then often they will delegate their authority or even share login credentials with staff.

How stringent are our third-party controls?

It is not uncommon for third-party vendors to have access to certain critical data required for them to function. A lot of data breaches affecting big companies happen not directly, but rather through their vendors. Malicious actors are fully aware that small third-party vendors are the weakest links and that is where they focus.

How strong is our monitoring and vigilance?

How long would it take us to tell if a breach has even occurred?

How effective is our response?

Essentially nothing is a hundred percent secure. Even military departments get hacked on occasion.  Therefore all companies should have a response plan prepared in advance rather than scrambling for one if and when a breach does happen. This response plan should include things like a backup contingency to fall back on, a plan to communicate it to relevant stakeholders, including clients, and a way to ensure that enough evidence gets recorded about the breach.

Submit Your CV, or Search Jobs to find out about the roles we currently have available.

Send Us Your Vacancy and one of our consultants will be in contact to discuss your requirements and how we may assist.

Our Renaix Future of Finance Report provides information on trends in the industry.

Similar posts:

Renaix Guide To IT Audit and Cyber Security, Do You Make These Eight Common Cybersecurity and Data Risk Mistakes,


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Job Seekers

On the hunt for your next role? Upload your CV below and we’ll be in touch to discuss your requirements.


For employers seeking the right skills and cultural fit for your business, send us your vacancy to find out more about how we can help.

Submit CV Send Us Your Vacancy

Search Jobs