In Day 1: Why Cybersecurity Needs “Bakers” – Building the Foundation, I introduced you to the cybersecurity colour wheel, where teams like Red, Blue, Yellow, and Purple come together to defend organisations against cyber threats. At the centre sits the White Team, the “Bakers” like me, who develop the frameworks, policies, and governance strategies that hold everything together.
But what does that mean in practical terms? I’m going to dive deeper into one of the key roles of a White Team member: developing security policies.
Why Policies are the Foundation of Cybersecurity
In cybersecurity, policies are like the rules of a board game: they tell everyone what to do, when to do it, and why it matters. Without clear policies, even the strongest Red Team testers or Blue Team defenders can’t work effectively. Policies define how systems are protected, risks are managed, and processes are followed, ensuring everyone—from IT specialists to regular employees—plays their part in keeping the organisation secure.
This is where my experience in quality assurance (QA) becomes invaluable. In QA, I spent over 15 years writing detailed policies to meet international standards like the OECD Principles for Good Laboratory Practices (GLP) and Compliance Monitoring and ISO 9001:2015 (Quality Management Systems). These policies helped organisations maintain high-quality products, improve processes, and reduce risks—skills that directly translate to cybersecurity resilience.
In the blog on Day 1, I described the role of the White Team (Bakers) and how they provide structure to the chaotic world of cybersecurity. Writing policies is a core part of that structure. Just as a baker follows a recipe to produce consistent results, security policies act as recipes for managing threats, protecting data, and recovering from incidents.
Let’s align this with my experience:
- In QA, I ensured processes were precise, repeatable, and compliant.
- In cybersecurity, I can use this same approach to create policies that are clear, actionable, and adaptive to emerging risks.
Strong policies are the bridge that connects teams across the cybersecurity colour wheel, ensuring everyone knows their role and can collaborate effectively.
Key Security Policies Aligned with the Essential Eight
Cybersecurity policies align closely with frameworks like the Essential Eight, which are practical strategies recommended by the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC). Here’s how well-defined policies bring these strategies to life:
- Application Control Policy
Ensures only approved applications can run on systems, reducing the risk of malware. As an example, policies to whitelist1 trusted software and block unauthorised programs.
1A whitelist or an allow list is a cybersecurity strategy that approves a list of email addresses, IP addresses, domain names or applications, while denying all others.
- Patch Management Policy
Outlines how and when software and systems are updated to fix vulnerabilities. As an example, a policy requiring critical patches to be installed within 48 hours.
- Access Control Policy
Limits user access based on roles, ensuring only those who need sensitive data can access it. as an example, enforcing multi-factor authentication (MFA) for administrators.
- Backup and Recovery Policy
Defines how data is backed up, stored securely, and restored during a cyber incident. As an example, policies requiring daily offline backups tested regularly for recovery.
- User Application Hardening Policy
Disables risky features like macros or outdated plugins to reduce exposure to attacks. As an example, blocking macros in Microsoft 365 Office files unless explicitly required.
These policies form the backbone of cybersecurity defences, making sure everyone in the organisation—whether they’re a developer (Yellow Team) or a threat responder (Blue Team)—has clear rules to follow.
Why I Love Writing Policies
I’ve always enjoyed the challenge of creating policies that are both effective and easy to follow. Policies aren’t just documents to tick off during audits; they’re tools that empower teams to work securely and efficiently.
To write a good policy, I start by asking questions:
- What are we trying to protect?
- Who needs to follow this policy?
- How can we make it clear, actionable, and not overly complex?
This collaborative approach—working with subject matter experts, IT teams, and leaders—ensures policies are realistic and aligned with the organisation’s goals.
It’s the same approach I took in QA:
- In biotechnology, I wrote policies that ensured compliance with strict regulatory standards.
- In cybersecurity, I can write policies that reduce risk, promote secure behaviours, and align with frameworks like the Essential Eight.
Policies in Action: Why They Matter
Policies are only valuable when they’re put into action. For example:
- Without a Patch Management Policy, systems can remain outdated and vulnerable, as seen in the 2017 Equifax Data Breach, which exploited unpatched software.
- Without an Access Control Policy, sensitive information could fall into the wrong hands, leading to data breaches or insider threats. An example is the 2019 Capital One Breach which occurred because a former employee of a third-party cloud provider exploited misconfigured access controls in Capital One’s cloud storage. The attacker, who had insider knowledge, was able to access and extract sensitive customer data that had been improperly secured.
A well-written policy is the difference between chaos and clarity. It aligns teams, minimises risks, and builds confidence across the organisation.
Linking to Tomorrow: Policies as the Bridge to Strategy
Developing strong policies is only the beginning. In Day 3, I’ll explore how policies feed into a larger cybersecurity strategy—a framework that connects governance, risk management, and operations into one unified approach.
Just like a recipe provides the steps for baking a cake, policies provide the foundation for strategy.
Key Takeaway
Policies are the foundation of cybersecurity resilience. They provide clear rules for protecting systems, managing risks, and fostering collaboration. By aligning security policies with frameworks like the Essential Eight, organisations can defend against modern threats while empowering teams to work securely.