When implementing policy, it’s important is to consider the organization’s structure in relation to its business, size, and technology. Another important consideration is the fit to its leaders. If a leader holds team meetings or town halls, the implementation plan might consider using these events to discuss the policy change. A different leader may be more hierarchical in his or her approach, holding a series of group meetings. What’s most important is recognizing these differences and adjusting your security policy approach accordingly.

Depending on the policy change, one method is to find an early adopter. An early adopter implements the security policy ahead of rollout as a type of pilot. In this way you can demonstrate the value of the policy and use the positive experience of the early adopter to overcome concerns and objections. An early adopter of security policies will help lead an organization’s successful implementation. Early adoption of security policies can be a source of pride for both an individual and the team.

When you navigate an organizational structure to build support for implementation, keep in mind that you are talking to people, not boxes on an organizational chart. It’s important to listen, accept suggestions, and realize you will need to overcome concerns and user apathy towards information security. It will be important to build support with executive leaders throughout the implementation process, especially with those with differing views of risk and different management styles.

Encourage management to be personally involved in the implementation. They know their teams. A good manager will listen to the employees’ issues and feed back to the security team concerns and ways to overcome objections. Security awareness and messaging is not a one-time event. It’s important to reinforce the message as much as possible. If you can engage employees and show them why security is relevant to their jobs, there’s a greater chance your employees will adhere to policies. Security awareness programs help keep workers engaged with the information security message, thereby helping to prevent apathy.

Remember, motivating employees is as important as mastering a technology. A motivated employee can deal with the unexpected. This is particularly important when dealing with unexpected security incidents.

Changing an organization’s culture and users’ perceptions is not a one-time event. Simply releasing security policies does not change attitudes. Security is a tough sell because the benefits are not always obvious. Cultural change comes from having a clear value message that is demonstrated daily. It also requires collaboration and an understanding of the business. Culture is changed in small increments. That’s why you need a well-planned, step-by-step approach to implementing policies. Three common messages to deliver during an implementation are:

• Personal accountability
• Directives and enforcement
• The value of security policy

Although “selling security” has an upside, security is, in the end, mandatory in most organizations. A soft sell goes only so far in motivating employees, because the consequences may not seem real. The more abstract the perceived argument as to why information security is important, the less convincing it becomes.

It’s important to discuss personal accountability and the consequences of not implementing policy. The consequences can range from loss of data to lack of regulatory compliance. This message can resonate with executives, especially those who operate in a regulated industry. In highly regulated companies, executives can be held personally accountable for failure to implement effective controls. The Sarbanes-Oxley Act is an example of this type of regulation.

After a period of “selling” the implementation, there often comes a management directive and enforcement. Management will require policies to be implemented. Management sets the tone within an organization through how it enforces its policies. Inevitably, someone will fail to follow policy. The level of tolerance and how aggressively policies are enforced sets the tone. It also shapes whether policies are perceived as important.

Mandates by management and aggressive implementation are often needed to meet tight deadlines. This is particularly important in meeting regulatory mandates. For example, in banking, strong authentication for some transactions is a legal mandate. This might translate into requiring two-factor authentication to access a bank account online. The implementation of these policies can help the online banking manager achieve his or her goals of reducing online fraud and becoming compliant with regulations.

Finally, keep in mind that the business and the IT team are both often overworked and overcommitted. Information security is sometimes seen as an additional layer of complexity. Some people perceive security policies as a roadblock to the delivery of services. These perceptions of security policies are inaccurate. Security policies can enable organizations to expand by creating reliable controls that protect vital systems and applications.

Implementation is as much about changing attitudes as it is about implementing controls. Overcoming perceptions and changing culture are goals of security policies. In other words, it is about implementing in a way that wins hearts and minds. You need to be transparent about what risks security policies can and cannot reduce. Most important, security policies need to be viewed as a useful tool.

President Theodore Roosevelt’s famous counsel was “speak softly and carry a big stick.” This is good advice for implementing security policies. Do everything possible in the early stages to win the hearts and minds. In later stages, you need clear and concise statements of management mandates and of accountabilities.