Executive management today is pulled in many directions. It’s a fast-paced world, for some industries more so than others. To be effective, executives need to be surrounded by employees with a strong sense of clarity, purpose, and action. Effective leaders have the ability to encourage people to achieve the leaders’ goals. They lead the organization in the right direction in order to achieve a specific goal. They use their values, knowledge, and skills to motivate and get others to excel. Effective executives persuade people to do the right thing for a better future.

Executive management support is not just about budgets and mandates. When you have executive management support, you have powerful allies. Executives can overcome objections and persuade an organization to adopt policies. They can coach the chief information security officer (CISO) on how to avoid pitfalls.

Executive support is key to security policy enforcement. At some point in the enforcement process you need to change workers’ behaviors. This can require disciplinary action. Even taking workers aside and coaching them runs the risk of negatively impacting a department. It is important that you lay the foundation for such discussions in advance. You accomplish this through the executive of the department. This executive can send a clear message that there’s zero tolerance for ignoring security policies. The executive must be clear that violations of policies will be taken seriously. This type of message establishes a tone at the top.

Enforcement is most effective when it comes from the employees’ own leadership. Information security teams often do not enforce policies directly. Security teams do not directly manage all employees and thus, typically cannot “order” an employee to comply with policies. So how do security policies get enforced? Usually security teams monitor for compliance and then report noncompliance to leadership. It’s then up to leadership to direct employees and ensure the right behavior occurs. This can include disciplinary action up to and including termination (firing) in the case of a serious violation of security policies.

It’s important to remember that the employees look to executive management for direction. The executive leaders are expected to lead by example. This means they follow the same policies as employees. When they exempt themselves, they devalue the importance of the policies.

Executive management should take an active interest in key performance indicators and show continued support for the program. They should be visible in approving any deviation from policies and approve it only when necessary. This visibility sends a powerful message about the importance of security policies and risk management. When an incident does occur, this preparation creates less chance of pushback. The executive is more likely to enforce policies to support his or her personal credibility. Once executives put their own credibility behind policies, they are less likely to allow violations to occur.

Finding the right level of leadership to take action can be a challenge. It’s generally more effective to have leadership governance and management committees responsible for IT security policy enforcement. There is a difference between governance and management within an organization. To see this difference, consider Control Objectives for Information and related Technology (COBIT) 5.0 definitions, as illustrated in FIGURE 14-1. As you see by the figure, governance sets strategic direction, and management executives run day-to-day operations. Governance, as defined by COBIT 5, “ensures that enterprise objectives are achieved” and directs management to execute. It’s these governance processes that balance competing interests such as the business needs to make a profit and the customer needs to buy services at a fair price. Governance sets the direction for management to follow. It’s then up to management to achieve its goals “in alignment with the direction” set by the governance processes. Management is responsible for running day-to-day operations. Both organizational structures monitor activity.

Governance committees are more likely to monitor activity after the fact and in the aggregate to assess whether goals are being achieved. Management committees are likely to monitor activities before, during, and after as part of running the operations. What does this mean for the compliance program? It means that you need to monitor the effectiveness of quality assurance within management processes.

Management committees are responsible for running the business. As they run these processes, they need to be checking whether security is in place. For example, as they create an ID, they also need to ensure it has the right kind of access before it is issued. Before moving code into production, management needs to make sure it has all the security features turned on.

Both management and governance committees would be interested in results from QC reviews and compliance assessment. Remember, governance generally deals with issues in the aggregate. What that means is that governance cares about the accumulation of issues that would impact the organization’s goals. For example, governance might care that 30 percent of the online systems fail a Payment Card Industry Data Security Standard (PCI DSS) vulnerability assessment. Governance committees tend to focus on total amount of PCI DSS testing rather than any one specific test. The 30-percent failure rate might indicate potential risk of fines, or the risk that a hacker could disrupt the company’s ability to accept credit cards. These risks could impact the company’s goals and objectives.

Management would also be interested in the PCI DSS assessment. Management would want to know a range of details, such as which vulnerabilities failed and on which systems. Management would want to know why the QA processes were not able to detect the problem before the systems went into production. Management processes typically deal with the detail needed to run the business day-to-day, whereas governance deals with setting strategic direction.

Both management and governance committees are generally provided monitoring reports from the compliance program. These compliance reports provide the information needed for leadership to take action. Additionally, the management processes are generally used to identify root causes and recommendations for fixing any noncompliance problems.

To continue the 30-percent PCI DSS assessment example, management might identify a root cause for the high rate of failure. The problem may be due to outdated technology. Management may recommend an increased budget to replace the outdated technology. Governance processes consider the recommendation and the impact of the situation on the organization’s goals, and they approve funding for the technology replacement.

The organization itself has a role in enforcing policies. This is typically handled through gateway committees. These committees are executive management processes to review technology activity. They often provide approvals before a project or activity can proceed to the next stage. This is why they are referred to as “gateways.” They are literally the gateway for new technology projects entering the organization.

Some organizations combine different functions into one oversight board. Larger organizations often separate committee functions. The names of these committees depend on the organization. Regardless of how these committees are combined or divided, the membership should include senior leaders across the organization.

Don’t get confused by committee names or the number of committees in an organization. The key is to understand how committees within an organization view risk and enforce policies. The following are committee roles and responsibilities found in most organizations:

• Project committee—Approves project funding, phases, and base requirements
• Architecture review committee—Approves standard technologies and architectures
• External connection committee—Approves external data connections
• Vendor governance committee—Approves new vendors and oversight of existing vendors
• Security compliance committee—Approves controls for compliance with laws and regulations such as Sarbanes-Oxley (SOX)
• Operational risk committee—Approves risk tolerance and oversight of risk exposure to the business

These committees have line of sight into all major projects and initiatives within the organization. Each committee looks at risk from a different perspective; however, they all play a role in enforcing security policies.

Once policies are established, management must figure out how to implement them. This includes making the policies operational. For line management that means the following:

• Ensuring everyone on the front-line team is trained
• Taking on the role as the go-to person for questions
• Applying the policies consistently
• Gathering metrics on the policy’s effectiveness
• Ensuring everyone follows the policy

Front-line managers and supervisors work with employees every day. They see what works and what does not. They need to work with their teams to make sure everyone understands the new policies. Managers ensure everyone has gone through awareness training. They also answer any outstanding questions. If they don’t know the answers, they find out where to get the information. They are responsible for ensuring their team is ready to implement policies. They also ensure the policy rollout is on schedule within their team’s responsibility.

Front-line managers and supervisors are directly accountable to ensure that employees are implementing the policies consistently. This oversight includes gathering metrics on how well the implementation is working. Sometimes policies have unintended consequences. These individuals need to document the situation when policies don’t work out as designed. They are responsible for notifying management of issues and problems.

Inevitably, something will go wrong. If someone fails to follow policy, managers are responsible for finding out why and resolving the problem. Sometimes that includes disciplining an employee. Other times, it is more a matter of finding out why the employee wasn’t successful and overcoming the problem with coaching or additional training.

The result of these managers’ and supervisors’ efforts is enforced policies. These efforts ensure policies are implemented and are working properly.

Employees react to the environment around them. It’s rare that a worker comes to work with the intent not to follow a security policy. Obviously, it is possible that employees with malicious intent could exist in an organization; however, this is not the primary cause for failure to adhere to policies. Often it is that they don’t fully understand the policy, or it is very inconvenient to adhere to. The problem is exacerbated if policy enforcement is either nonexistent or inconsistent.

This means that employees have great influence over coworker actions. If one employee is violating some policy with apparent impunity, it becomes more likely that other employees will consider violating that policy. This peer pressure provides a grass-roots enforcement method. In close-knit teams, peer pressure can be a tremendous asset. Such pressure is most effective when employees know that infractions will bring scrutiny and lead to embarrassment in front of the group. The key is management’s response to security policy violations. The peer pressure is more likely to be applied when the response of management is visible. This is similar to driving on a road in the United States. If you see several other drivers exceeding the speed limit by 10 miles per hour without consequence, you may feel emboldened to speed yourself.

Enforcement need not always be punitive. Rewards can also be a means of policy enforcement. If someone is exemplary at following some critical policy, they should be recognized. If a given team or department goes for an extended period of time without any incidents, they should be rewarded. The specific criteria and mechanisms for reward will vary among organizations.

Employees are key to understanding how to align policies to business. They understand the level of risk for a particular business function. Based on that risk, appropriate enforcement can be applied from employees, front-line managers, and supervisors.

Policies evolve as the business evolves. The risk management process must have a feedback loop from employees to ensure that the policies still make sense for the business.