Be clear with communicationWhy are you asking your colleagues to review and acknowledge yet another policy document? Though it may be clear to us as information security professionals, we need to be sure that we communicate the purpose of this new policy when requesting that staff review and acknowledge it. Being explicit removes a barrier to compliance because it allows those within the organization to fully understand the intent of the policy and their subsequent responsibility to it. As policy executors, it is our duty to clearly communicate the reason for the policy to our fellow staff and to be fully transparent on why it is being implemented within the organization. Don’t forget to keep your purpose explanation simple and to the point!
Get buy in early from leadershipBe strategic by getting early support from management and the executive team. Sponsorship from the appropriate parties is critical for the success of new policies and perpetual compliance from the organization as a whole. If we are unable to obtain buy-in from the decision makers within our organizations, such as management or the board, it will be impossible for our colleagues to get behind the new policy. Communicate the value of the policy early on in the development process by aligning with the company risk register. Demonstrating that your policy will positively address or mitigate an item on the risk register serves as great leverage for gaining early support from key decision makers.
Evaluate your security cultureBegin by evaluating your cybersecurity culture. How do your colleagues prefer to be contacted? We are more likely to obtain policy compliance if we can meet our coworkers halfway and distribute the new procedure in a way that is easy for them to receive it. Some companies make ample use of a Learning Management System (LMS) for distribution. Others transmit the message of a new policy through email. Taking the temperature of your security culture will allow you to identify how fellow employees are most likely to notice a new policy change and therefore be comfortable following it.
Establish accountabilityIdentify one individual (and one individual only) to be accountable for follow through on the policy. While delegating responsibility of policy compliance to a group or team may seem like a reasonable decision, it can easily lead to gaps. When more than one individual is responsible for the overall success of a policy, it can cause tasks to fall through the cracks and key results will not be achieved. Compliance objectives are less likely to be met if we delegate accountability to a group instead of one individual since clear roles and responsibilities will be too loose. Designate one information security professional within your organization to be responsible for policy compliance and schedule regular (and actionable) metrics to measure policy response over a defined period of time. One effective metric is to identify the percentage of staff who have reviewed and acknowledged the policy within the first quarter of its publication. Another enlightening measurement is to calculate the number of policies that exist within your organization. This number will typically indicate whether or not colleagues require more guidance on their compliance expectations or if the sheer number of documents requiring review has become overwhelming for the employee population. Implementing a new policy and having it followed doesn’t need to be laborious and taxing for the security group. As information security professionals, we tend to make things more difficult than needed, including the concept of policy implementation and compliance. Keeping it simple by being transparent, aligning with the security culture, getting early sponsorship and establishing accountability do not have to be arduous to be effective. Take this as an invitation to keep the compliance process simpler when you implement and distribute your next policy document!