Executive Buy-in, Cost, and Impact
Ultimately you will need senior managers’ formal buy-in and support for any costs they need to incur. When dealing with executive management, define expectations clearly. Senior executives generally have little time to create specific strategies. They expect well-defined security approaches and recommendations. You might need their input on undecided key issues. However, executives expect you to do your homework and to engage their teams. You should have already spoken to their staffs and worked out most of the details. When a CISO is in front of an executive to talk about implementing security policies against a target state, it should be a short conversation. The conversation should focus on “This is our recommended approach” and “This is what I need.” The executive will want to know the following, at a minimum:
- The level of commitment being asked of his or her team
- The impact of the policies on the current environment
- The value the policy brings; in other words, what risks the policy addresses
- The metrics of success—how success will be measured
Also, be sure to establish lines of communication. You’ll want to spread the word on both major successes and setbacks throughout the implementation. Keep the lines to executives open. They want to avoid surprises. If something is not going well, they prefer to hear it from you first. They will also use success as a barometer for future requests.
Executive Management Sponsorship
Without executive management sponsorship, users will be less likely to be eager to participate in awareness training and to support the policy implementation. Support for a policy implementation takes time away from an individual’s regular job. Many organizations are understaffed and overcommitted. Security policy implementation may not be seen as valuable or urgent. Executive management sponsorship changes that perception.
You should expect to fund the implementation with a defined budget. Buying tools and creating training materials are start-up costs. These costs may not be in the current budget. Additionally, you should expect a formal communication from management supporting the program. This communication can be a simple email that emphasizes the importance of team participation. This tone at the top is important to overcome common objections, such as, “I’m too busy right now.”
Efforts to gather support should not be limited to a single executive. A security policy implementation spans the enterprise. This means you should seek multiple executive supporters. Remember, awareness is ongoing and extends well beyond the classroom. Awareness and a communications plan should be executed throughout the policy implementation process. For example, partnering with corporate communications or marketing departments allows the security message to be included in company newsletters and bulletins. The IT security team provides the content, whereas the communication and marketing department professionally packages the message. Executive sponsorship in those areas can extend the message’s reach. These executives can advise the IT security team on how best to market through existing communication channels.
Overcoming Nontechnical Hindrances
It’s not just technical challenges that can delay security policies from being implemented. It’s important to remember that human factors matter, too. Success depends on how well people accept the policies.
Distributed Environment
Many organizations operate in a distributed environment. Organizations are typically divided by lines of business, product, or geography. In a distributed environment, an organization is run by different individuals with different business objectives. Therefore, different parts of an organization can have different views of risk. This diverse set of leaders can delay security policy implementation.
The first challenge is to get senior leadership to agree on a common set of security policies. The second challenge is agreeing on an implementation timeline.
User Types
A diverse set of views is not just reflected by leaders. The organization’s general population also harbors a diverse set of views. The workplace has many types of users. Remember that you operate in an existing culture. That culture might not share the principles stated in the security policies. Even in the best of circumstances, it takes time for security policies to change the culture. In the meantime, you must recognize the type of culture and users that exist at the time the security policies are being implemented.
This sometimes means working in a culture that thinks of information security as an afterthought. Users in this environment may do the minimum to get by. You have to educate them on security policies and help them shed bad habits. Security awareness that targets specific habits can help. It’s important that these users and habits be identified early. Plan specific communication events that focus on policy value and awareness training to change existing habits.
Some users think information security is a technology problem, not their problem. They might not object to the rollout of new policies, but they might undermine the policies’ effectiveness by doing the bare minimum. This type of user attitude can best be managed through effective leadership. When a user knows that his or her job responsibilities include implementing security policies, such attitudes begin to change.
Organizational Challenges
Organizational challenges depend on the culture and industry. For example, the financial services industry puts significant resources into implementing security policies. In these organizations, the focus is on how to implement security policies to meet compliance laws and regulations.
Other, less-regulated organizations may question whether they should implement security policies at all. Understanding and overcoming these objections is an important part of obtaining buy-in. The following is a list of organizational challenges you might face when implementing security policies:
- Unclear accountability
- Lack of budget
- Lack of priority
- Tight schedules
Management is ultimately accountable for protecting information. Thus, management has a key role to play in implementing the proper policies. Implementations require management to be accountable for their success. The challenge is when leaders perceive policy implementation as an IT function. Leaders must support the implementation and provide the right message to all their subordinate teams.
Another organizational challenge is a lack of budget. Implementing security policies across the enterprise requires resources and funding. It may be a challenge to obtain funding without management support. The implementation of policies is more than sending out emails and posting a policy on a server. It takes time and funding to create training programs, to brief departments, to train users, and to hold town hall meetings. A town hall meeting is a gathering of teams to make announcements and discuss topics. These types of efforts take time and funding on both the IT and business side. It’s even more challenging when the business is asked to allocate funds from its own budget. Competing for limited funds is always a challenge in an organization. Information security has to compete for organizational priority.
NOTE
Security policies reflect a core set of principles. When you have different views of risk, it becomes a challenge to agree on these core values. It also becomes a challenge to decide how to enforce the policies.
Implementing security policy is no different from any other activity. An organization faces many conflicting priorities. It may face business challenges that drive its priorities. For example, a priority may be to expand customer services. An organization may need to reduce defects in its product line. The key point is that organizations have limited resources. Often, there are more priorities than resources available. The challenge is to avoid security policies becoming low-priority items. Ideally, security policy should be seen as supporting or enabling the business’s highest priorities.
For the implementation of security policies to be effective, it must be taken as a serious organizational commitment. You accomplish this, in part, by avoiding direct conflicts with other priorities. You should time the implementation of security policies so it doesn’t conflict with other events. For example, assume you know over the next three months that a new product will be released. You may want to hold off implementing major security policies until after the product launch. Companies in this situation may not have the bandwidth to deal effectively with both efforts.
Yet you don’t always have the luxury of waiting to implement policies. You may be under a regulatory requirement to meet specific timelines. When you do have flexibility, plan the timing of the implementation to ensure the organization can properly focus on the effort. Even in the best of circumstances, you often face tight implementation schedules. Once an organization has agreed on the content of security policies, the tendency is to implement them quickly, so the organization can move on to other priorities. Tight schedules may also be a byproduct of how well you communicated the benefits. For example, an organization that is facing significant audit findings may view the implementation of security policies as an important step in controlling those risks. This results in significant pressure to implement quickly. It’s important that an implementation plan recognize the time and effort required to reach and train everyone involved in the changes.
NOTE
Policies are, by definition, organizational directives. Assigning specific tasks and responsibilities during implementation is important. This becomes even more important when dealing with large, complex organizations. An implementation plan must define clear accountabilities for everyone from the leadership level to the IT security team.