Security Careers: Responding to questions successfully

Michael Santarcangelo tells us why explaining the reasons behind security policy, rather than relying on a quick answer, can go a lot further toward employee compliance and understanding

By Michael Santarcangelo

July 19, 2010CSO

Michael Santarcagelo, security career catalyst

"Why can't I used my iPhone at work?"

A simple, common question asked in organizations around the world on a daily basis driven by policies against using iPhones, iPads and other "unapproved" portable electronic devices. As a result, questions abound.

And that's a good thing.

What is more versatile and powerful than a question?

A simple approach to learning, sharing, teaching and exploring, questions are as much art form as workhorse of our ability to communicate. While learning how to ask questions and listen to answers is important, an often-overlooked key for career success is learning how to respond.

When someone asks a question, what is your response?

We are asked dozens, maybe hundreds of questions a day. Are these questions treated as interruptions to be dismissed as quickly as possible, as personal challenges, or are they given consideration and addressed with the right response?

See also: 4 reasons why executives are the easiest social engineering targets

During a recent awareness assessment — where we understand key behaviors, opportunities and challenges — one of the participants explained, politely, that the current policies prohibiting iPhones were misguided, restrictive and unenforceable. The anonymous response ended with a question, "if the policy isn't going to be enforced, why restrict us?"

Great question.

This is why questions are so important. Individuals ask questions for a variety of purposes — to find out if they can do something, to understand a situation, to make a decision — all focused on gaining information. Now, while many questions require a simple yes or no answer; a question like this is an opportunity to share an explanation.

Consider this:

  • 12 percent of employees reported intentionally violating company policies in a survey conducted by Fiberlink; in my experience, the actual number is likely to be even higher.
  • 90 percent of employees reported their own ability to manage risk as good or excellent (good enough they'd bet their paycheck on it) in a recent Awareness that Works" assessment I conducted (Security Catalyst, Spring 2010)
  • 35 percent of respondents have felt the need to work around their organization's established security policies and procedures just to get their job done
  • Nearly half (41 percent) of the respondents have determined that employees have been using unsupported devices, and more than one-third of that number said they have had a breach or loss of information due to unsupported network devices.
  • 65 percent of respondents frequently or sometimes leave their workplace carrying a mobile device such as a laptop, smartphone and/or USB flash drive which holds sensitive information related to their jobs.

RESOURCE CENTER