Building a True Cybersecurity Culture: Policy-as-Code

To establish a robust and effective cybersecurity culture, organizations must go beyond mere policy documents and strive for comprehensive implementation and enforcement. Policy-as-Code (PAC) emerges as a powerful solution in this pursuit by leveraging the use of machine-readable code to define and manage cybersecurity policies. By translating policies into code, organizations can automate the implementation and enforcement of policies, ensuring consistency, reducing errors and improving operational efficiency, according to industry experts at Mexico Cybersecurity Summit 2023. 

Traditional policy management processes relied on manual interpretation, implementation and enforcement, leaving room for human error and delays. However, the adoption of PAC introduces a transformative approach to policy management. “PAC is a framework for automating the information security policies that organizations require,” says Julia Urbina Pineda, Head of Cybersecurity, CyberIIoT.

By translating policies into machine-readable code, organizations can leverage automated monitoring and enforcement capabilities that span their systems and networks. The use of automation empowers teams to operate swiftly and consistently, significantly reducing the likelihood of mistakes and ensuring the timely implementation of policies. With PAC the need for manual intervention is eliminated, mitigating the risk of misconfigurations or oversight that can potentially expose organizations to cyberthreats. 

PAC presents a significant opportunity for organizations to automate processes that impact productivity and operational efficiency. It is not limited to the realm of IT systems but can be implemented organization-wide. The primary objective of PAC is to assist organizations in implementing cybersecurity practices and codifying their behaviors, ensuring consistency and reducing human errors.

To achieve successful PAC implementation, it is crucial to properly identify risk analysis and standards and align them with the organization's operational processes. This entails considering the organization's specific assets and threats. Furthermore, a strategic planning approach and training of the personnel involved are essential. “Achieving seamless integration requires a great deal of patience to find the appropriate framework that aligns with the maturity level of the companies involved, as well as engaging the right stakeholders,” says Edmundo Lozano, GIS Director and Regional CIO, LARN, Whirlpool Corporation.

Prior to applying PAC, companies must make prior efforts in technology consolidation and integration. In this process, identifying the most suitable use cases for automation is crucial given the numerous possibilities. This enables a transition toward a more robust integration within the company, effectively managing and administering automated policies.

With PAC, organizations can leverage policy automation to enhance consistency, reduce errors, and strengthen cybersecurity practices across all levels. By implementing PAC correctly, organizations establish a constant shield of protection that safeguards their assets and ensures safer and more efficient operations.

Culture is one of the pillars for the effective functioning of any organization. A great opportunity lies in establishing a strong partnership between the legal and compliance teams to address digital transformation matters. This collaboration helps permeate the cultural aspect. While companies already have their policies documented, implementing PAC can simplify the operationalization of each policy.

“Working on a culture involves understanding the UX and creating a set of values while actively promoting the embodiment of these values from top to bottom,” says Alfredo Sastré Barraza, President, Csoftmty. 

Defining a gradual implementation plan focused on the rapid adaptation of the organizational culture is crucial. As part of this process, it is important to provide training to the entire organization using digestible content, ensuring that employees can easily understand and incorporate the principles of PAC. Furthermore, efforts should be made to adapt existing processes, integrating policy automation seamlessly into the company's workflows. 

Collaboration between departments plays a significant role in this endeavor, as it fosters the development of appropriate and relevant policies that reflect the unique needs and challenges of the organization. By aligning efforts and leveraging the collective expertise of different teams, organizations can establish a cohesive approach to PAC implementation, driving cultural change and enhancing cybersecurity practices throughout the company.

For a proper implementation of PAC, the role of the CISO is key. “The CISO needs to be familiar with the overall objectives of the company. With these standards, it is necessary to identify their applicability in a client's technological environments,” says Octavio Martínez Mellado, CIO, ENGIE Mexico. 

Artificial intelligence (AI) also plays an important role in the deployment of PAC. But while it is a trendy topic, AI it still needs to mature before its full potential can be leveraged.” AI has the purpose of improving the quality of life for users. Its major challenges lie in ethics and governance to ensure that algorithm design is responsible,” says Manuel Díaz, Cyber Security Director, Huawei.

An enterprise should stablish principles of AI governance that emphasize collaboration to serve individuals, prioritizing security and the privacy of personal data. In cybersecurity, AI serves as a valuable support, helping to avoid false negatives in automation. However, the careful handling of data is essential, as it can be susceptible to positive or negative biases. AI should be used to support PAC within an internal corporate environment. Transitioning to an AI model requires working on data and defining data structures to enable its intelligent exploitation. It is crucial to recognize that technology, processes and people are the necessary components for evolution; technology alone is not sufficient.