Three Reasons Why Employees Chafe at Security Policies

Posted on by Christopher Burgess

How often have you heard someone say, "We can't do it that way, because our security policies prohibit . . . " Perhaps they were discussing customer data security and the means to achieve frictionless engagement. 

Variants of this conversation occur every day, and if you are the chief information security officer (CISO), you need to maintain these policies. Here are three reasons why employees (and executives) don’t like them.

1. Policy Is Not Aligned with Measured Metrics

Every company has to measure something, whether it’s how many widgets are created in an hour or how many calls the call center handles  on a given day. Information technology teams have to track availability, reliability, accuracy, and authenticity  to determine network status. If the security policy doesn’t take metrics into account, you will look for workarounds. Consider a boutique law firm specializing in intellectual property with the following policy on secure customer communications: "Each time a client receives correspondence containing sensitive digital data, the content must be encrypted and the encryption logged." The policy’s goal is to ensure all sensitive data leaving the law firm is encrypted. In reality, the encryption process is manual and cumbersome, and training clients to work with encryption is a bother. The lawyers and paralegals engage with clients, both face-to-face and via email, and measure billable hours and issue resolution. The lawyers and paralegals don’t want to violate policy, but the process is so cumbersome, that they classify the data being shared as not sensitive. They acknowledge the company's security policies but defeat it because they are difficult to work with.

One way to avoid this situation is to factor client/employee requirements into the security policy. Educate the people who are most affected by the policy. Make resources available so that it is not too difficult to follow the policy.

2. Policy + Infrastructure Inhibits Success

The same boutique law firm has another security policy requiring that only company resources—mobile devices, laptops, etc.—can be be used to access work-related information. When the lawyers, researchers, and paralegals are in the office, this is not an issue. This is a problem when deadlines loom and the team is expected to stay in the office to work late hours. The security policy doesn’t allow virtual access (a virtual private network) or remote login. Only lawyers are issued laptops or tablets, and only for travel purposes.

The team reviews the security policy, the resources available, and what is available to others, and they decide that just this once they will craft a workaround so that the job can be completed. They buy USB memory drives for the paralegals, load the work on to them, and permit the paralegals to take the work home to finish up on their home computers. You can see the risks introduced by this workaround. The fix? Align the workflow and employee needs with security policy.

3. Policy Was Created by the Infosec Team for Ops/Sales

Should the infosec team be creating security policies for the whole company? There is a reason many information security professionals have the “infosec no” nickname—they have good intentions. But their security practices are effectively inhibiting the enterprise.

Unless the infosec team has visibility into the specific needs of the ops/sales team, they are more likely to create polices that bring commerce to a halt. That isn’t helpful. Instead, focus on collaboration.

Think of the entire company in a rowing competition. If one or more of the oarsmen is out of cadence from others, the boat's ability to go forward is inhibited. Infosec should be at the table with ops/sales making suggestions, explaining what is possible, and how it can be achieved, instead of making blanket policies no one can work with.

Working together, everyone can agree on and create relevant policies that expose the company to the least amount of risk. The risks are defined and owned by the business stakeholders and not the information security team. Since the business unit owns the risk and is responsible for ensuring the risk is mitigated, the the policy will be more likely to be followed.

Consider metrics, align the workflow, and work with the business units. That is how information security professionals can make security policies more relevant and effective for the organization. 

Christopher Burgess

, Prevendra Inc.

Business Perspectives

risk management

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community