Few employees are ever happy with new IT security policies, particularly when they are handed down from on high. They feel like an interference with the daily workflow – extra chores for no extra pay. But while these new security procedures are usually critically necessary for the organization, not having rank-and-file employee buy-in can mean that users disregard them, which can be dangerous.
For this reason, it’s important to get buy-in from employees. This may involve including them – at least in some small way – in the investigation and planning processes.
"A policy for policy's sake is useless if it isn't being used to ensure proper processes are followed," said Danny Hammond, security research analyst at Info-Tech Research Group. "A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant."
Info-Tech Research Group recently published a new industry blueprint to help companies develop and implement effective security policies. One key point is that employees are not paying attention to policies, which could be due to a lack of awareness and understanding of the security policies’ purpose, how they benefit the organization, and the importance of compliance when policies are distributed. Furthermore, informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise and maintain.
To nurture an effective security policy and increase engagement, organizations must make a concerted approach to developing a policy lifecycle that involves stakeholders from development to deployment, review and monitoring, according to Hammond.
"No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep the organization secure," Hammond said.
This process may include defining security policies in a way that employees can understand; ensure that policies are reasonable, enforceable and measurable; and effectively communicating the process to employees at every step along the way.
Edited by
Erik Linask
