After years of working their way up the chain, technical computer security issues have found their way to the top—your desk. How do you have any way of knowing whether your employees are implementing secure systems or simply checking boxes?

These are the 5 policies you should have:

“Show Me, Don’t Tell Me.”
Insist your employees “show you, not tell you” about your organization’s security. They must plainly and thoroughly explain everything to you. Certification standards do not ensure your company is secure. If you lose data, you will be deemed to have violated the standards 100% of the time. For a real-world example, read this news article with some thoughtful quotes from Bob Carr at Heartland Payment Systems (link), following the aftermath of their breach in 2009.

“No Comparisons.”
Forbid comparisons to other companies or industries.
Terms like “bank-level security”, and “government-grade” encryption are empty words—banks and governments are compromised all the time.

“We Only Follow Published Standards.”
Know your standards and the issuing organizations.

Strong Encryption. Established under NIST guidelines and changed frequently. To stay informed, go to (link) and subscribe to their email alerts. In particular, subscribe to the following under the NIST Computer Security Resource Center:

  • Special Publications (NIST 800-XX)
  • FIPS
  • Interagency Reports
  • ITL Security Bulletins

PCI Compliance. Established by the Payment Card Industry for securing credit card data. If you are storing sensitive data other than the credit card number, your data is not in-scope for the most stringent requirements (aka you “pass” PCI). Automated “PCI scans” do not assess PCI compliance. PCI compliance is documented via an Attestation of Compliance or Report on Compliance, there is no such thing as a “PCI Certificate”.

US-CERT. The US Cybersecurity Emergency Readiness Team, part of the Department of Homeland Security. This is the best resource for responding quickly to security threats. Please stop reading now and click here to subscribe to their notification service at Do this now. Subscribe to all of the National Cyber Awareness System Mailing Lists. Additionally, ensure that every employee receives the “Tips” mailing list.

OWASP standard for the Open Web Application Security Project and maintains a set of rules that are incorporated by reference in hundreds of compliance standards and regulatory documents. The following guides should be reviewed in particular:

“We Must Know if there’s an Issue ASAP”
This is a repeat item: ensure you and your team have subscribed to the following mailing lists. They send a low volume of email, are easy to understand, and are both relevant and actionable.


“If Something Goes Wrong, We have to Respond with Speed and Accuracy.”
Form an Incident Response Team. Companies that respond well to a crises maintain the strongest reputations. It is better to be 95% perfect and be good at managing a crisis than it is to be 100% perfect and be bad at managing crisis. Because you’re never 100% perfect, and computer security evolves so quickly that, at some point, you will be behind the curve.

Skim this document on building an Incident Response Team from SEI (pdf) to get a better understanding of how to build, train, and use your Incident Response Team. Constructing an Incident Response Team will increase your situational awareness throughout your entire business, making the time pay off in all sorts of unexpected ways.

As an added bonus, following the above rules should help you:

  • Spend less time doubting your IT staff and more time running your business
  • Empower your employees to spot trouble quickly—whether it’s a security breach or an expensive operational inefficiency.
  • Become a leader in your industry by being focused and thorough, and inspiring trust.