I recently learned that IT security policies never please everyone, can be nebulous, and are difficult to get right. I'd like to share one company's experiences as they tried to get their plan to work.
IA client asked me to attend a meeting. I said sure, asking what it was about. The client said they wanted to revise their IT security policy. That's good; we both knew there were some problems with it. The CEO also knew that getting buy-in from everyone was critical and she expected it to be an up-hill battle.The results
Surprisingly the meeting went quite well. The CEO explained the situation and everyone got to work. In short order, the group agreed that most issues with the security policy were due to three reasons.1: Policy was vague
Most IT security policies that I have read aren't very clear, thus absolutely useless to employees. For example, the company's IT security policy states that social-networking applications are not allowed.
During the meeting, I asked a few employees about their use of instant messaging (IM). Besides feeling they weren't abusing company guidelines, everyone mentioned how IM made their job so much easier. No one saw a problem.
That confirmed the vagueness of the security plan. Wanting to eliminate any ambiguity, the group came up with the following changes:
- If certain programs or services are banned, specifically mention which ones in the security policy and communicate it to every employee.
- Revisit the security policy periodically. If need be change policy to meet current business needs.
- Technically prevent banned applications from working rather than relying on user education.
Security and productivity are polar opposites. The best anyone can hope for is an agreeable middle ground. During the meeting it was very evident that it was more like a no-man's land.
IT personnel were doing their job as they understood it. Some security practices were adding significant overhead to the production process, but in their eyes that was acceptable. The plant manager disagreed. Increasing production and reducing costs were paramount for the company to remain successful.
Who's right? I'd say neither. Regardless, a turf war is bad for everyone. Under the watchful eye of the CEO, both sides worked together to create a strategy that should improve security, increase production, and reduce overhead costs. Now that's an agreeable middle ground.3: The policy applies to everyone
I found interesting, the discussion about whether the security policy applies to everyone or not. Some employees actually felt the security policy didn't apply to them. The CEO quickly put the matter to rest, it does. The CEO wisely pointed out that if there is a problem, revisit the policy and see if it needs changing.Final thoughts
My client went through a painful but beneficial discovery process. I thought sharing what they learned might help make it easier for others.