Security policies in general, not just security awareness policies, can suffer from a disease I like to call, ‘ginger-vitis‘. Management wants to have policies in place, or is forced to put them in place, but it doesn’t want to make life difficult for others or to create conflict. So, they often gingerly omit the section of the policy that defines what happens when there is non-compliance. This can feel like a win-win scenario: Management gets to manage and make important decisions, and it doesn’t step on anyone’s toes.
But it’s a lose-lose situation for those (you) who have to implement the policy because someone’s non-compliance becomes your non-compliance. Management doesn’t have to come down on the employee for not taking training, but they can come down on you for not putting everyone through training.
Just do it. Ok? Please?
Without a clear, worse-case scenario for the consequence of non-compliance, there is little use for a policy at all. Especially if you end up with a group of people who just can’t be bothered to follow training. Higher education faculty are famous for being difficult in this way.
You end up begging, pleading, and bribing people to comply when all that effort could be spent in getting Management buy-in for some definition of consequences.
Management holds your teeth in their hands
Getting Management buy-in for consequences does two big things for you:
- Management agrees on how seriously to take training
- If all your efforts fail to work with a non-compliant person, you have backup in the form of a policy
This does not mean that you can jump straight to the worst-case scenario whenever someone is non-compliant. You still have to maintain a healthy security culture and exhaust all interpersonal avenues to encourage compliance. Management buy-in means that as you try to find the key that gets the non-compliant person onboard, you know that it’s not all up to you. Management has your back.
Your Takeaway: Define the path to consequences
It’s Management’s job to make sure their policies are properly constructed and have all the elements required to make them implementable and enforceable in your organization. Although it is common that security awareness policies are written gingerly, it does you and your organization no favours to keep them this way.
If you find yourself in a ‘ginger-vitis’ situation, here’s what you can do:
- work with Management to define a ‘worst-case’ scenario as part of the policy
- devise a high-level approach on what to do before the situation becomes a worst-case scenario
- assure Management that the purpose of the change in policy is encouragement and compliance, not punishment
- thank Management for taking the issue seriously enough to give you the tools to handle difficult situations