Survey Shows Disconnect On IT Policy

Cisco follows up on its survey on data leakage, which I already wrote about, and an analysis of policy effectiveness. There isn't too much surprising in the findings, but the results continue to highlight the need for sound security policy management processes in organizations and,
Cisco follows up on its survey on data leakage, which I already wrote about, and an analysis of policy effectiveness. There isn't too much surprising in the findings, but the results continue to highlight the need for sound security policy management processes in organizations and, more important, that the policies need to be communicated to employees.The survey results looks at the difference between IT decision makers and end-users. The survey, conducted by InSightExpress, polled 1,000 users and 1,000 IT decisions makers in 10 countries. InsightExpress vetted the respondents in the various countries.

There is a huge disparity, between 20% to 30%, where more IT decision makers than users are aware of acceptable-use policies for computers, PDA's, and smartphones. Raising awareness is a significant issue and one that security management often points to as the most difficult to overcome. In a conversation with a CSO of a medium-sized manufacturing firm, he told me his position has expanded from just information security to training. He spends a great deal time working with HR to develop training sessions and reminders for their employees. It's slow going, but his company is starting to see pay-offs in a reduction in violations.

What is interesting is how end-users and IT decision makers perceive the methods of security policy communications. A large percentage of all end-users, 59%, indicated that policy is communicated via e-mail and, to a lesser extent, 38% of all end-users indicated that policy was communicated during meetings with IT staff and executives.

But 58% of IT decisions makers are more likely to be exposed to policies during meetings and 56% get their initial policy information during new-hire orientation. The disparity could be due to the fact that IT tends to be more exposed to security initiatives than end-users, but the user perspective is telling. Your end-users are on the front line of information security -- a fact that Kevin Mitnick made during his keynote speech at Dark Reading and InformationWeek's Virtual Security Event and I talked about in our 2008 Strategic Survey [registration required].

Of course, the difference in perceptions about why employees violate security polices varies between end users and IT decision makers. Among the top reasons cited by IT decision makers are that 47% of end users don't think there is enough risk to be concerned, 41% think IT will protect them, 39% think security is not top of mind for end users, and 38% think end users don't care.

The responses from IT decision makers across all the countries are fairly uniform. A few notable exceptions are that a significant number of Chinese respondents, 33% higher than the nearest country, indicated that security is not top of mind, while only 5% of French respondents, and only 6% from the next-lowest country, the U.K., indicated they needed better education and training programs.

Compare those responses to end users responses, where 42% say the policy doesn't align with the reality of their job, and 33% need access to applications to get their jobs done. Those results clearly indicate that there is a disconnect between what IT is offering and what end-users need. Your employees are not stupid or evil. They are, by and large, responsible people who want to get their jobs done. If IT isn't supporting the needs of employees, there is a fundamental issue with how IT perceives employees' needs. Unlike the responses from IT decision makers, end-users' responses are more varied by country, indicating cultural differences that need to be taken into account for international companies.

Here's the final analysis: IT and IT security provides a service to the organization, not the other way around. In some cases, IT has to draw a line to protect information assets. But more often then not, alternatives that are acceptable to IT and end-users can be found. IT and the business have to work together to determine what the organization's needs are and then how IT can provide or support those services in a secure and reliable manner.

This is an organization problem. The blame doesn't rest solely on IT or end-users. Each group has to take responsibility for its areas of interest. Ultimately, IT wants to provide an efficient, easy to manage, secure, and reliable infrastructure to the organization. End-users want a stable set of applications that will fulfill their job needs with a minimum of headaches. You can start by finding out the perceptions of each group through the use of anonymous surveys, meetings, and discussions. Then you can analyze disparities and address them. It takes a village. Find out what the villagers want.

A Lesson In Disconnects

Let me close with a story. I was talking to a friend who took on a CIO role at a company. He had been with the company for a number of years in business development. He didn't come up through the ranks of IT, but he had the principles down. He thought he would be able to make some necessary changes. In the past, he had complained bitterly about his IT department. They weren't responsive to business needs. They were entrenched in doing things one way and one way only. They were slow to adopt new technologies. The biggest thorn in his side was rolling out new services.

Every time IT had to deploy a new service, they always completed the deployment 1 to 2 weeks early. He said IT would point to how good they were because they always completed jobs before deadline. He was angry because he thought IT padded schedules, which meant he had to delay projects because his work schedule was dependent on IT's timeline. That meant that his projects were needlessly delayed. He could have used the extra 1-2 weeks.

When he entered his new role, he was going to fix the scheduling problem, but he couldn't get his managers to change their ways. His IT managers had been through a number of CIO's in their tenure and weren't likely to change. What he didn't do is try to figure out why IT always padded schedules. IT may or may not have had good reasons for padding, but he didn't bother to find out. The moral is that without understanding the underlying reasons why people act the way they do, you really can't address problems effectively. All you can do is address the symptoms. The survey results show a disconnect between end-users and IT decision makers which, if addressed, would bring end-users in-line with company policy and, at the same time, bring company policy in line with end-user needs.