🆘Bill Cole 🇺🇦Feb 10, 2023

I wonder if anyone has every tried to rigorously study whether the existence of company #infosec policies has any impact on #security outcomes.

I mean, I think explicit policy is a good thing beyond its concrete effect on security, but I'm increasingly unconvinced of any effect.

Show threadDave PimlottFeb 10, 2023

@grumpybozo the existence of policies is useless without training. $client has policies around email handling and yet I have users at $client that request the release of emails about a refund from a foreign tax department...

Policies are good and a necessary step but not the end of the process.

Show threadr_marx
@quikkie @grumpybozo agreed, very often I see the defeatist attitude of "policies don't fix the issue 100% so might as well give up on them". Well, even if they only help a bit, I'll still take it
Feb 10, 2023 at 11:37pmWeb