The first step in using security policies to reduce risk is to create the policy documents, but your work doesn’t stop there. Your security policies hold the potential to guide behaviors and practices that protect your organization’s systems and data, but policies lose their potential for positive impact if they are forgotten. How do you keep attention on protecting your organization?
Keep your policies relevant and top-of-mind across your organization.
To see your policy grow to be the foundation of an informed security culture at your organization, you must promote it, achieve buy-in, and eventually enforce it.
Promote your policies
Think beyond simply requiring each employee to read and sign your policy. Give your organization’s security culture room to grow by strategically seeding thoughts and conversations around the most important parts of your policies.
Build strong relationships with the department leaders at your organization.
Members of the C-suite, directors, and managers influence how employees consider which actions and behaviors are important in an organization’s culture. Spend time with the leaders at your organization to ensure they have a solid foundation of how your policies affect the departments they lead.
Help the leaders at your organization become comfortable communicating relevant parts of your policies with their teams. Their participation helps distribute information faster, leading to faster buy-in from employees.
Keep information security in the conversation.
There’s a reason advertisers invest in showing you the same ad multiple times: repeating a message and call-to-action leads to people remembering the takeaway. You can emulate that strategy at your organization by keeping the highlights and benefits of your policies out on display.
Give employees opportunities to learn and participate in security culture.
Spark your employees’ curiosity by sharing background information on how you decided on your recommendations. Tell them the story behind why you are requiring them to adhere to the guidelines in your policy. Offer them channels to ask questions and get answers about information security and how they can help protect your organization.
Offer regular and varied training.
Keep your employees updated and engaged on evolving policies and outside threats. Share examples of the benefits of following security policy and the risks of breaking it. Experiment with different training strategies to see what motivates your employees.
Consider the following types of training:
- Training workshops, for the organization’s entirety or its subgroups.
- Self-guided learning, like pre-recorded courses.
- Peer training, when employees mentor other employees.
- Ambassador model training, when one person from each team receives training and is then responsible for advocating the policy in their group.
Make your expectations obvious: Ask for action.
You need your employees to follow your guidelines. They are more likely to follow your policy if they can quickly understand what you need from them. Clearly communicating which actions they should take next helps remove friction as you’re motivating them to adopt your policies.
Achieve buy-in from your employees.
Participation is best fueled by mutual respect. Taking your audience into consideration while planning and communicating your policy leads to relevant and effective recommendations that your employees will be more likely to remember and follow.
Recognize that your policy affects your employees’ job duties.
Show your employees that you considered their position and how the policy may affect their work. Reinforce how those requirements benefit the safety of the organization. Listen to and take their concerns seriously.
Support employees as they adopt your recommendations.
Invest time into working with the teams at your organization as they evolve their practices to comply with your policies. Review the highest priority risks together, then collaborate to identify impactful changes they can adopt that comply with your policy. Regularly check in to make sure their efforts align with your information security plan.
Include employees in your process.
Your employees secure the line between your systems and the outside world. They come face-to-face with many of the threats you need to protect against. Create space to learn about and investigate suspicious situations they encounter. Their red-flag radar will hone in as they become more knowledgeable about what your policies outline and why they benefit the organization.
Enforce your policy to reinforce the values of your security culture.
If you care enough to put a policy in place, eventually you will need to enforce it. Your organization can put in processes to check compliance with your policies.
You don’t want employees to be afraid of your team.
The security team should be seen as protectors, not as people that get you in trouble. When an employee is unsure if they are breaking a security policy, it’s easy for them to make the mental jump straight to a scary outcome, like getting fired. While this may become true in extreme situations, in practice, enforcement can be used to educate employees and further define your organization’s security culture.
Transparency builds trust.
Employees may be unsure if something they do or know about is out of compliance with your policy. Ultimately, you need to know about these threats to your attack surface. If employees are fearful of retribution, they are less likely to come forward to inform you of potential risks. Create an environment where employees feel safe asking candid questions without getting in trouble.
Confronting employees doesn’t need to carry a negative vibe.
Use security violations as awareness checks and teaching opportunities for employees. Violations are not commonly malicious, but employees who are breaking your policy still need to understand the risk they are creating with certain actions and then change those behaviors or practices. For high-risk cases of malicious or reckless behavior, work directly with the employee’s manager to communicate the risk and resolve the situation.
Enforcement comes in many forms.
Here are some examples of security policy enforcement:
- Share an announcement that reminds the organization of the goals outlined in your security policy.
- Add automatic checks in your systems to ensure employees think about certain actions.
- Conduct regular checks and self-audits.
- Meet with an employee to collaborate on evolving a deliverable.
It’s never too early to start highlighting the value of information security culture at your organization.
Strong security culture begins with interesting and relevant conversations that lead to buy-in from employees across your organization, effectively reducing the risk of threats entering your systems. Although the boundaries of your policies may be tested, the learnings from enforcing those policies strengthen the definition of your organization’s security culture.
Elevate your information security program.
Let the security experts at ZeroWall evaluate your security profile.
Make sure you’re promoting the most effective security policy. Taking the ZeroWall Assessment™is the fastest way to get an expert evaluation of your security profile and risks.
ZeroWall’s Threat Model Engine works its magic on your answers and delivers you an Insights Report that outlines:
- The gaps in your security program
- How your current investments are addressing risks
- How you compare to similarly-sized organizations in your industry
- Right-sized recommendations catered to your unique organization
Get the information you need to build your organization’s right-sized program. Get started >