A recent Seattle Times article offers an interesting case-study for security professionals. The headline: “After 6 months, drivers ignoring cellphone ban.” Can we learn anything from law enforcement’s implementation of this new law? I think so. The Seattle Times article covers a variety of important policy implementation steps that were used:1) A PR campaign was initiated and initially worked. Cindy Baker-Williams held a “Hang Up and Drive” banner over Aurora Avenue North in Fremont when Washington’s handheld cellphone ban for drivers began on the first of July. She and her family hoped the new law would change drivers’ behavior. It did at first. 2) Over time, people started to ignore the ban.Sgt. Freddy Williams of the State Patrol (said), “We see about one in three drivers talking on a cellphone. People seem to be ignoring the law.” 3) Enforcement penalties were real, but somewhat limited. Statewide, troopers handed out 746 tickets for illegal driving-and-talking through November…. Troopers also issued 1,345 written and verbal warnings…. But driving-and-talking is a secondary offense, meaning the police have to stop a driver for another violation before they can write a $124 ticket for holding a cellphone.4) Metrics were available, but the meaning of the data could be argued.The pioneering law — only six states have such a ban — might have contributed to a drop in car crashes on state roads this year. It’s impossible to know, though, Williams notes, whether the drop resulted from the cellphone ban or other factors such as high gas prices and less travel.5) Next steps are controversial.The public appears to support a tougher law. Baker-Williams expects it will take a similarly long time — and lots of statistical evidence and personal tragedies — before the cellphone law is strengthened and drivers change their habits. Perhaps you’re wondering, what does this cellphone ban law have to do with security or other technology policy enforcement? Can’t we just “impose our policies” on corporate or government networks and PCs, laptops and other devices? Can’t security policy enforcement be automatically implemented in ways that cell phone bans in cars cannot? No doubt there are differences, but in some ways the cellphone ban for drivers is a best case scenario. For one, everyone “get’s it.” They understand the law (policy), and they understand the potential risks and life/death consequences of not complying. Of course, the trouble is that they don’t think the bad things (like an accident) will happen to them – which is just the same risk/reward equation that is faced with violating security policies. In addition, the penalties were real and in place in this case. The metrics were available, and the ways of hiding behavior were somewhat limited. One could easily argue that enforcing a drivers cellphone ban is an easier task than enforcing security policy on work networks. In my opinion, there are quite a few similarities that CSOs should take note of here. First, policy enforcement requires a look at people, process and technology – NOT JUST TECHNOLOGY. (Sorry for shouting, but many in the industry just can’t seem to understand this fact.) For example, I’ve seen staff bring in their own web-enabled cellphones to bypass security measures on government or corporate networks. Strong “built-in” technology controls can’t stop users from using personal devices to access external networks and websites that pose risk. The temptation may be to ban all personal cellphones (or other devices) at work, but after governments and companies take away cellphones from staff to save money, you may face a backlash from such moves. Every action causes an opposite reaction and needs to be weighed carefully.Bottom line, policy enforcement is hard – but needs to be done. My point in this blog is to illustrate some of the difficult aspects that CSOs and others face after they implement a network or security policy. Oftentimes, this is a long road. Just like cellphone bans for drivers, it takes years to change people’s habits. Ending on a more positive note, there are several examples where we have seen long-term behavioral change after policy change. Two such areas include the use of seat belts and smoking bans. In both cases, we needed to change the public opinion and not just the law/policy. CSOs need to keep the ongoing training/awareness aspects of new policies in mind. What are your thoughts on policy enforcement? Related content opinion 3 security career lessons from 'Back to the Future' You don't need to be able to predict the future to have a successful security career, but you had darned well better be able to learn from the past. By Dan Lohrmann Jan 12, 2021 6 mins Careers Security interview Secrets of industry-hopping CSOs Who says you can't change industries? Veteran security leaders Mark Weatherford and Cheri McGuire teach you how it’s done. By Dan Lohrmann Mar 02, 2020 12 mins Careers Security opinion Why security pros are addicted to FUD and what you can do about it Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it. By Dan Lohrmann Sep 06, 2018 7 mins Security opinion Bridging the smart cities security divide There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions. By Dan Lohrmann Feb 01, 2018 6 mins Internet of Things Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe