Communicating the need for "security policy" in SMBs and other organizationsTuesday, June 30th 2009 @ 2:50 PM (not yet rated)
It's a common problem in Small and Medium-sized businesses. The word POLICY sets you back and you lose credibility - whether you're talking about "security policy" or a "product return" policy. It can certainly turn off workers in the blink of an eye. (In fact, I've probably lost you already... ) So, what can you do if you feel that there are no consistent rules around security in your organization?
Security Policy is one of the major pillars of any security program. But if SMBs ignore this pillar, or fail to make progress in defining some consistently applied rules, it's really a demolition derby of rogue employees doing whatever they want, in the name of "innovation, agility, responsiveness" or any other advantage a small business has over its larger industry peers.
Policies seem to be more acceptable in larger organizations, where you need it to avoid complete anarchy. But where security is concerned, policies - or something resembling them - are critical, for even the smallest of companies. A one-man shop or a family computer in the kitchen needs a set of guidelines or conventions for working safely.
I've worked with companies where I knew as soon as the word slipped out of my mouth that they thought I was trying to drive a nail with a sledgehammer, with respect to securing their operations - way overkill in their minds.
But if you can find out what the organization's culture "cares about", you can start to identify the consequences of failing to have something equivalent to good security policies. What would be the consequences if some information was disclosed or modified without authorization? Or what would be the impact on revenues or costs if information your business relies on was unavailable to you when you needed it?
Once you've identified those impacts, you need to choose a less inflammatory word that you can use to represent the concept of policies that provide consistent rules for protecting against the consequences.
Here are some suggestions or euphamisms:
* Helpful Hints
Using whatever term you choose consistently as a way to frame what we would otherwise call policies will start to engrain the need for some acceptable governance you can point to when talking to anyone outside who refers to policies.
Perhaps you already have this kind of environment in place, and never realized it. Just because you don't call them policies, doesn't mean you can't use what you have as a basis for your security program. Once your organization grows, you may find that, through some other miracle - perhaps a change in senior management - the word Policy becomes acceptable, you can simply propose to "transform" your "guidelines" into policies.
What does your organization call these kinds of rules, or what would you suggest as an effective euphamism? We'd like to know.