security policies, how to secure a small business, security guidelines, security rules, security conventions, euphamisms, convincing management
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.

  Scott Wright's Security Views
Blog Entry

Communicating the need for "security policy" in SMBs and other organizations

Tuesday, June 30th 2009 @ 2:50 PM (not yet rated)    post viewed 7095 times

It's a common problem in Small and Medium-sized businesses. The word POLICY sets you back and you lose credibility - whether you're talking about "security policy" or a "product return" policy. It can certainly turn off workers in the blink of an eye. (In fact, I've probably lost you already... ) So, what can you do if you feel that there are no consistent rules around security in your organization?

Security Policy is one of the major pillars of any security program. But if SMBs ignore this pillar, or fail to make progress in defining some consistently applied rules, it's really a demolition derby of rogue employees doing whatever they want, in the name of "innovation, agility, responsiveness" or any other advantage a small business has over its larger industry peers.

Policies seem to be more acceptable in larger organizations, where you need it to avoid complete anarchy. But where security is concerned, policies - or something resembling them - are critical, for even the smallest of companies. A one-man shop or a family computer in the kitchen needs a set of guidelines or conventions for working safely.

I've worked with companies where I knew as soon as the word slipped out of my mouth that they thought I was trying to drive a nail with a sledgehammer, with respect to securing their operations - way overkill in their minds.

But if you can find out what the organization's culture "cares about", you can start to identify the consequences of failing to have something  equivalent to good security policies.  What would be the consequences if some information was disclosed or modified without authorization?  Or what would be the impact on revenues or costs if information your business relies on was unavailable to you when you needed it?

Once you've identified those impacts, you need to choose a less inflammatory word that you can use to represent the concept of policies that provide consistent rules for protecting against the consequences.

Here are some suggestions or euphamisms:

    * Rules
    * Guidance
    * Guidelines
    * Helpful Hints
    * Tips
    * Conventions

Using whatever term you choose consistently as a way to frame what we would otherwise call policies will start to engrain the need for some acceptable governance you can point to when talking to anyone outside who refers to policies.

Perhaps you already have this kind of environment in place, and never realized it. Just because you don't call them policies, doesn't mean you can't use what you have as a basis for your security program. Once your organization grows, you may find that, through some other miracle - perhaps a change in senior management - the word Policy becomes acceptable, you can simply propose to "transform" your "guidelines" into policies.

What does your organization call these kinds of rules, or what would you suggest as an effective euphamism? We'd like to know.


Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Site Meter

 rate this post: very bad poor average good fantastic!

Copyright 2012. Security Perspectives Inc. All Rights Reserved.