I find it interesting when organizations introduce policies that are obviously flawed. Usually it seems that whoever created the policy did not think through how the policy would work in practice. A great example from an IT governance perspective are policies that prohibit people from listening to music on their computers. Although there are probably circumstances in which this type of policy is beneficial, it will almost certainly be unpopular and, unless the organization is willing to spend significant resources, it will be difficult or impossible to enforce.
In essence, the likelihood that individuals in the organization are likely to ignore or circumvent specific IT policies is directly related to whether those policies are easily understood, considered fair and reasonable, and—most importantly—likely to be enforced. In other words, if people in your organization think the rules generated by your IT governance policy do not apply to them, are unfair, or can be ignored with impunity, they will not follow them.
This is an incredibly important concept for IT leaders. It has always been important, but in the era of sophisticated, persistent threats perpetrated by well-funded criminal organizations and foreign governments, it could be a matter of organizational survival. We need people to obey IT policies for the protection of both the individual and the organization.
With the stakes so high, one would think organizations would be focused on mitigating these risks. And we do see evidence that the US government takes this risk seriously in its efforts to impose more restrictions and spend more on understanding how to enforce policies or discover failures. Interestingly, an approach that is often overlooked can be a key part of the solution: using a combination of customer surveys, policy development, training, and communications to facilitate willful compliance.
For those who have experience with these types of efforts, it is self-evident that the effort to ensure that policies promote willful compliance easily pays for itself. Once those IT policies are easily understood, perceived as fair and reasonable, and communicated to the organization in an affirming way, then the effort required for enforcement is dramatically reduced—simply because the audience is listening.
IT governance is ultimately about creating a safer IT environment in your organization. The governance to create the safer environment must start with policies that are easy to understand, perceived as fair and reasonable, and enforceable. If you don’t know how to create those types of policies, help is available.
As anyone serving the government knows, it is past time to make these changes: every day that large groups of people ignore or circumvent policies that are meant to protect all of us is an invitation to disaster. Now is always the time to build a safer information technology system.