Over a decade ago, Stephen Northcutt, one of the original founders of the SANS Institute, recruited me to help plan a course purely about security policies and procedures. At the time, I was all about hands-on hacking and defending, and I saw little value in a course purely focused on "paperwork."
It took me a long time to realize that without the paperwork, you don't get any real security.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
Almost all security professionals can secure their own computers by tightening down the right settings, applying all the needed patches, properly configuring the firewall, and making sure their antivirus definitions are up to date. The challenge is doing that for hundreds or thousands of machines -- PCs, laptops, servers, mobile devices -- running different applications or platforms. Documenting and enforcing policies and controls is necessary for us to apply all the good advice in our heads to all the machines that we control.
You could even implement the best security possible across a large number of computers to the point of perfection in a particular moment in time. But without policies and controls, that perfection won't last long. It took me years of real-life experiences to learn that policies and controls are king. The technical pros are the fiefs and knights.
If your organization is behind on written policies, look to SANS: It continues to be one of my favorite resources for all manner of security information, including guidance and resources on the paperwork side of things. For instance, SANS recently released its top 20 Critical Security Controls for review.
As expected, it's par excellence, mostly because of how comprehensive it is: Both knights and kings were clearly involved. Each control has many specific "quick win" recommendations. Some are more detailed than others, but they all should be part of any computer security defense. I encourage defenders to take a look to see what you can learn from it.