Security is a top priority at the Bank of Labor , but the financial institution updates its formal information security policy only once a year, maybe twice, regardless of what's happening in the ever-changing threat landscape.
That's not to say that the union bank ignores emerging threats such as new malware variants or phishing schemes, says Shaun Miller, the bank's information security officer. On the contrary, the organization, which has seven branches in the Kansas City, Kan., area plus an office in Washington, routinely tweaks its firewalls and intrusion-protection systems in response to new and active threats. To avoid fatiguing its 120 users, however, it refrains from formalizing new policies more frequently.
"The purpose of our policies is to be at a high level, not to cover every eventuality out there," says Miller. "We update procedures for tactical day-to-day stuff, but when it comes to our strategic direction on security going forward, we change our policies in a limited fashion so as to not overwhelm users."
The Bank of Labor isn't alone. Given how fast the threat landscape changes, it can be difficult for a company to modify something as rigid as a corporate security model to keep pace with every new attack vector. In a recent survey of 287 U.S.-based IT and business professionals conducted by Computerworld, CIO and CSO, 33% of the respondents said that they work for organizations that have had the same model for information security management in place for five or more years. Meanwhile, 23% said their model had been in place for three to five years, 33% said one to three years, and just 11% said less than a year.