Let us begin with the premise that security policies exist to protect an entity's assets as it pursues the normal conduct of business. To ensure that those policies are effective, security professionals must first understand the social elements, including cultural and generational variances, that affect employee behavior and perceptions about security. With the implementation of a three-step process of discussion, creation and messaging, security policy can be successfully crafted—with consideration given to geographical, cultural and generational factors—while assuring resonance and understanding throughout the organization.
A recent Cisco white paper, Data Leakage Worldwide: The Effectiveness of Security Policies, illustrates the apparent disparity between the perceptions of end users and IT professionals surrounding the existence, relevance, updating and communication of security policies. Just as businesses strive to understand their marketplace, they should also conduct internal market research to identify the key characteristics of their employee demographics.
To protect your employees, it is necessary to answer a number of rudimentary questions:
- What are the business's goals?
- Who is responsible and accountable for the business's success?
- Which individuals or business units are most affected by a certain policy?
- Who and what functions are you trying to protect?
What social differences exist?
- Generational?- Functional?
So let's look at some of these demographic challenges that an enterprise may face. In the geographic domain, a policy written for one audience may fail elsewhere if not fine-tuned for relevance. After all, cultural differences affect methods and styles of communication. For example, a message crafted for a highly technical audience in Asia may not have much success with a less technical group of employees in the U.S. who are used to a different communication style, and indeed one risks putting them to sleep or having them intellectually check out.
Generationally, how do we deal with individuals who are entering the workforce having collaborated and communicated openly using social media and other collaborative tools? Truly, this is an unprecedented challenge. (Editor's note: See also csoonline.com's Security and the Generational Divide.)
The key to success is in the early transfer of responsibility to those engaged in making the business successful. Take steps to assist those who believe that "there are no secrets" and help them comprehend why their personal livelihood depends on protecting the corporate intellectual property and infrastructure. Clearly communicate, that, in fact, there are secrets. Once employees understand that they have a responsibility to protect the enterprise, the chasm between the security professional and the rest of the staff not only shrinks but disappears. Through this process, the enterprise will acknowledge security as forethought, not an afterthought.
Far too often, security policies arrive as a reactive action as opposed to a proactive management of risk. Unfortunately, many policies are created without any discussion or consideration of business needs. When challenged, an IT department expects automatic adherence. Managers frequently expect subordinates to comply with a policy even if they don't understand why adherence is expected; it is simply because I said so compliance.
To have security policies arrive as an overlay to an existing procedure is like placing a patch over a hole on a sweater. The patch may be effective, but if applied incorrectly, it can leave a noticeable flaw.
An upfront investment and a mandatory engagement by those crafting security policy need to occur at the point of strategic discussion within the business unit. This strategic interaction exponentially raises the odds of having a security policy that makes sense and factors in the data from demographic and functional research. A policy created in this way is a tool that each member of the business unit can use in a manner consistent with the agreed-upon security protocol.
This early alignment in the creation and implementation of policies is thus analogous to security being one of the integral threads woven into the fiber of the aforementioned patch, thus making it stronger and less likely to develop new holes. This way, policy isn't based on disconnected silos of knowledge, and your employees aren't being placed in the position of having to choose between business success and policy adherence.
So how do you go about engaging your employees and communicating your policies? Think globally, but act locally. You may have a global workforce message, but you must tailor that message for comprehension and relevance at a local level based on cultural, linguistic and other social factors.
Now let's discuss existing policies that were created in the overlay fashion. First, review these policies with the affected business units to assure they don't handicap or stifle business direction. Recommend that a review of adherence be completed prior to the discussion, as it may provide some measurable clues to a policy's effectiveness. Then recraft these policies to align with the reality of actual business objectives and goals.
Ultimately, the key is to ensure that your colleagues understand both the "why" of the policy and their share of ownership in the policy's existence. The empowerment of the ownership of any security policy by those most affected will increase adherence and address the risk that the policy is designed to mitigate. The exercise of the what of the policy follows with understanding, if not enthusiasm.
Ideally, security professionals will use this three-step process of discussion, creation and messaging. Each step reflects a consideration of geographical, cultural and generational diversity, but also positions the arrival of policy in a manner designed to assure resonance and understanding, as well as applicability. ##
Christopher Burgess senior security advisor to Cisco and a former government security expert with more than 30 years of field experience.