The Problem with Security Documentation
One of the questions we often hear is, ‘what document do I need to write?’ As professionals, we all understand that documentation is important. It allows for security risks and actions to be formalised and provides good evidence of security activities that have been undertaken.
Is it the best question you can ask, though? In fact, is asking that question a bit of a problem that can lead to poor behaviour for security and risk? Let’s understand why.
Asking what document needs to be written suggests that security has an end state – that of a document. All the context, threats, vulnerabilities, and risks neatly tied up in one, usually very large, document.
This conception of security documentation also contradicts the Secure By Design principle of continual through life management. We still see organisations recruiting for consultants who can produce a document for sign off. Sure, a document can be updated for review and sign off. But when this happens, what does it actually mean? What effect does it have on the capability delivering requirements? How does it affect leadership and ownership for risk?
A better question to ask then is ‘what is the risk?’
This simple question, posed to the right person, can drive a completely different set of behaviours. To answer it well means that good preparation work has been done by the delivery team. This may include:
Understanding the objectives of the capability and how risks relate to them,
Who the right stakeholders are and what their interaction with risk is.
Which assets have been assessed as being critical to the objectives being achieved.
How these assets may be susceptible to assessed threats.
What the impact of loss of an asset may be.
The ability to communicate the risk to the right person and with options about how to manage it.
This preparation work is part of what we call the ‘Practical Preparation Process’ as part of our ‘Cyber Design Accelerator.’ It is key to managing risks well. At bee-net, we can show you how to use this to good effect so that you can establish a proactive culture of risk management and get a good answer to the right question. Of course, you will need to document all of this… but these will be in living documents that will more commonly be embedded in your business and operational plans.