The ends justify the means? Corporate security policies and productivity are not mutually exclusive.

Stereotype – A generalization, usually exaggerated or oversimplified and often offensive, that is used to describe or distinguish a group. (American Heritage Dictionary)

The world we live in is full of stereotypes.  We develop stereotypes when we are unable or unwilling to obtain all of the information needed to make fair judgments about people or situations.

  1. IT people are all geeks and know nothing about business
  2. If you can’t do a job well, go work in Audit
  3. If you can’t do a job at all, then go into Management
  4. Security’s job is to make sure you can’t do yours…

Sadly these are all sentiments in response to a posting by Jacqui Cheng of Ars Technica (LINK) who cited a Harris International poll that 12 percent of employees admitted to knowingly violating IT policy “in order to get work done”.

Not only did the comments enforce to me the complete misunderstanding of the situation, but the complete lack of communication and connection of these users and their business policies. As a security professional this concerns me and more so the prevalence of “the ends justify the means” attitude is extremely unsettling.

88% of people don’t (knowingly) violate policy and 12% do.  I would expect a typical response to be “So what?”  Knowing that they do it only provides visibility to the issue.  Knowing why provides you intelligence which you can take action on.

So what are the reasons people violate the policy and how do we address them?

  1. I’m just trying to do my job. – While I don’t expect anyone who knowingly violates these policies to be reading any of my material, I do want to take a shot at role reversal here and see if it will make a connection.  Why does the “I’m just trying to do my job” excuse seem to only work one way?  If you find a way to circumvent a policy and you do so, you actions are justified by the requirement that your job be done.  What if your job was the enforcement of said policies?  Would you be as accepting of a no-holds-barred approach of making sure people could not circumvent a policy?  Absolutely not.  Words like Draconian, inflexible, intolerant, get thrown around when that type of approach is taken.  So why is is okay for one side of the equation but not the other.
  2. It isn’t convenient. – I’m going to pick on sales because it makes this comparison easy (not because I want to single out that particular group).  Salespeople all have goals and metrics by which they are measured.  The pressure to reach those goals gives them incentive to determine ways around any roadblock in order to meet those goals.  If your data management policy requires that (in compliance with regulations) all emails with customer data are sent via an encrypted channel, but you’re offsite and checking email on a friend/families computer, would you put in your usb thumb drive and send it anyway in the spirit of being responsive to the customer?  I expect that more than the 12% probably would.
  3. I know better. – This one really bothers me.  I’m going to be guilty here of violating my concern about stereotypes, but why do so many people feel they are experts in a particular area (e.g. computer security) just because they have some degree of technical knowledge?  Does this happen in any other profession?  I’m going to have to fall back on an old cliché here and say, great!  If you are certain you know better, then be the one to help to fix it rather than one complaining about it. (sorry this one really makes me sore)
  4. I didn’t know any better. – Sadly, I would almost prefer to get this response from people.  Providing user awareness is a lot easier than trying to change any preconceived notions about the policies they are subject to.  Unfortunately this probably falls outside of the 12%, since they can’t not be aware of a policy and admit to knowingly violating it.

What can we do to help resolve these issues?

  1. Reach out.  While we have the best intentions when putting policies together, we sometimes lack the exposure to the environment in which these policies may need to be enforced.  Therefore it’s a good idea to have representation from the people to whom these policies will be enforced.  No, this isn’t as easy as just writing it and publishing it, but it should help you create more appropriate policies while also giving the affected people/groups a say in how they are created.  This is also a good time to socialize the policy prior to implementing it so everyone knows why.
  2. Why is #2.  Communicating why the policies are in place are possibly more important than communications that describe the policy itself.  Looking at the responses to Cheng’s article really enforces the point to me that the commenters had no idea/appreciation for why these policies are in place.
  3. Provide a means for comments and ideas, moreover be certain to respond to them.  Again, I hear/read the sentiment that “these guys don’t get it”, “I do this because I know better”, etc.  If they really have better ideas and you provide a mechanism by which they can submit them, give them honest consideration, and more importantly a thoughtful response to their input.  This provides an outlet and feedback mechanism that allows people to participate in forming policies after the original creation and implementation.

There are may good frameworks that can help you build your policies, my hope is that I’ve provided some additional insight that will help make the implementation and adoption of your policies more successful.  Can’t we all just get along… and follow our corporate security policies?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s