Every organization has its own rule book or set of procedures that management or HR expects employees to follow religiously. These ‘rules’ stipulate when employees are to start and finish work; when they can take their lunch break or how many days of leave they are entitled to, and so on. Bar the usual exceptions, these rules are understood and employees comply with them.
The same, however, cannot be said of another set of rules that most IT departments create for the organization. These rules, or as they are better known, security policies, are the foundation of effective information security, yet they are among the most resisted by employees.
Security policies are seen to interfere with the job; they are nothing but an affront to their intelligence; hindering their workflow and a clear message that they are not trusted. Not surprisingly, new policies are often met with strong opposition by employees who believe they are responsible enough to protect corporate information without the security manager’s ‘this-is-how-it’s-done’ dogma.
Once again we come across this disconnect between employees and those responsible for IT and security in an organization. As I wrote in an earlier post, a different ‘language’ is often spoken and security policies are written in language that does not properly explain the reason for that policy in the first place. Add in a few choice words that make the security manager look like a real ‘meanie’ and you have the perfect recipe for non-compliance.
Another reason why security policies are resisted or ignored is that they are often imposed and those affected are not given the opportunity to participate in the policy creation process. I am not suggesting that employees have a say in how the policies are designed but security managers would find it easier to create policies if they had a better understanding of organizational structure and HOW employees react to policies. For example, running a short survey through the HR department will reveal whether employees know that there are security policies in place; what they are, where they are and are they accessible; whether they have read them and do they understand the policies.
Security policies are only successful if employees understand and regularly observe the procedures and for this to happen these policies have to be clearly communicated. They need to understand why they are being asked to comply with security policies and that their contribution (through understanding and acceptance) is key to the organization implementing a successful and effective information security exercise.
Security managers need to look beyond technology and understand the complex nature of human behavior. Managing security is as much about technology as it is people management. This is the major challenge.