This article can also be found in the Premium Editorial Download "Information Security magazine: Why business managers are a breed of security professional."
Download it now to read this article plus other related content.
To gain buy-in and support for your security policies, it's best to start at the top.
A clearly written security policy that's supported by management, properly implemented by technical staff and complied with by users is the dream of every security manager.
The real world, though, is a bit different. When asked by Information Security what's making their jobs harder, 58 percent of security managers pointed to user ignorance and policy noncompliance. Close behind were business units ignoring risk and threats (51 percent), and the lack of management buy-in and support (43 percent).
Security polices aren't something that are written and put on a shelf to collect dust. They're living, dynamic documents that should embody the mission and operations of the enterprise. That means how the policy is created, implemented, communicated and enforced is just as important as what the policy says.
Bridging the gap between policy intent and policy practice isn't difficult. Like most things in security, it's about process. Security managers can use some relatively simple techniques to get everyone on board with security policies and on track for continual compliance.
Right from the Get-Go
The failure to obtain sufficient buy-in from top management prior to issuing a policy is one of the most pervasive problems on the track to compliance.
Often, security policies are agreed to
As a security manager, you are responsible for outlining trade-offs with management before a policy is implemented. You need to perform the necessary research, and brief management on the good and bad news of each proposed policy, including any overlap or conflict it may have with business operations. These overlaps and conflicts should be worked out before the policy is issued.
Also, talk to management about what should exist under the policy, and then obtain the budget to make the necessary changes. Leaving this discovery and correction process until after the policy has been issued can result in management feeling duped into spending more money than necessary on security. If this happens, you can be sure that future budget requests will be heavily scrutinized.
The upfront work also needs to include risk assessments where those writing the policy become familiar with the organization's security real estate. Without this information, policies are likely to be stiff, rigid and ill-suited to your organization. This will, in turn, encourage staff members to deviate from, if not ignore, the policy.
Poor project planning and inadequate follow-through may also come from writing and publishing a policy without understanding the consequences. You should have a rigorous project-planning and status-reporting system in place to oversee the implementation of the policy requirements.
The Language Barrier
When planning compliance projects, management often allocates insufficient time and staff with the belief that, by setting aggressive goals for the installation of a new security system, employees will complete the compliance project because of the stiff deadline. However, the result is often demoralizing for your security team.
A chief complaint among security managers has been inadequate resources to handle policy compliance. Although policy may dictate strong fixed passwords, for example, a lack of tools to check policy compliance will ensure that weak passwords remain in use.
Better communication with management over software investments and the legal standard of due care will help scale any barriers created by a lack of policy enforcement.
Considerable effort must also be devoted to training and awareness—most notably, with management. Policymakers should tie in business objectives before the policy is written, and emphasize at every opportunity how security policies inherently support business objectives. In other words, good security means good marketing. Strong security policies posted on the company Web site will encourage customers to do business with your company. When management understands the synergy between business objectives and security compliance, resources and support will be easier to obtain.
This was first published in June 2005