When I am called it to help a Small or Medium Organization (SMO) with their information security, I rarely have any trouble convincing them of the need to buy a firewall, better access point, malware software, of anything else they would consider tangible. When I mention the need for a security policy document however, I get blank stares (or worse). This is unfortunate, because the security policy document is as foundational to good information security practices as any piece of hardware or software. I could write at length about the justifications for having such a policy, but since I can tell I am already getting that impatient look from you, I will keep it short and hit the high points.
First, it is imperative that everyone in the organization follow the same rules, even if the organization is small. Having different pockets of an organization following different rules can lead to disaster. A common standard is needed to establish the minimum requirements to achieve base level security. Many SMOs implement policies via a "monkey see, monkey do" approach, and a written security policy document counteracts this, by providing a formal basis from which everyone can work. Imagine a Falcons game in which the players had different playbooks (ok, maybe that explains last season).
Second, a security policy is a key part of the employee awareness process. If you dig into the major security breaches that have occurred in the past year, you will find that most began with an error or omission by an employee or contractor. As I discuss in my white paper , the Anthem breach is believed to have been the result of employees following a counterfeit link to a fake domain in an official-looking email. I actually got such a message last night, advising that my PayPal account was limited because of a customer complaint. The domain was paypoal.com. Quite convincing. A written security policy forms the basis of a security awareness program.
Third, and related to employee awareness, a security policy forms an objective basis for employee disciplinary action, when necessary. I don't think that there are many folks that get excited about employee discipline, but it is necessary at times to protect the business. It is very hard to enforce rules that are loose, strictly verbal, or non-existent.
Forth, they help to ensure that vendors and other third parties are protecting your critical information at least as well as you are. Third parties with access to your facilities or information can be a significant exposure, if they themselves are not following strong policies. A written security policy allows you to give such parties formal notice about what standards you expect from them, and forms the basis for auditing their practices.
Fifth, the can be a vehicle for demonstrating management commitment to following strong information security practices. A good policy document distributed and promoted by a key executive helps to make it clear that the approach is important to the success of the organization, and helps employees to buy into that success.
Sixth, such a policy supports company growth. A 5 person company can often get by using "oral tradition". As a company grows however, it gets increasingly difficult to pass this sort of information along verbally. You may recall the telephone game from when you were a kid - one person creates a message, whispers it to the next person in line, and so in. The last person in line speaks the message out loud, and everyone is amused by how much it has lost going through the group. With a written policy, your organization can succeed with information security, whether you have 5 or 500 employees - they all get the message from the same source.
Finally, such a policy is required by all of the major compliance standards. Whether it be SOX, HIPAA, or PCI, a written security policy is a fundamental part of the standard. Even if you are not bound directly by one of these standards, it is likely that, sooner or later, you will deal with someone who is, which obligates you to meet the same standard.
At this point, I hope any of you sitting on the fence have decided to climb down and get started. The good news is that the process is not nearly as difficult or tedious as you may think. There are various sources on the Internet for templates or sample policy documents, which you can customize for your needs. As an example, Entrepreneur published a reasonable template for this purpose. You can also ask a key customer for their policy document, and modify it appropriately. This has the added benefit of ensuring that your policies are consistent with theirs. Finally, there are a number of security organizations (ours included) that will build an appropriate policy around your organizations, usually for a quite reasonable charge.