It’s hard to believe that something as mundane as the management of user policies could be so difficult within Public and Private Sector Enterprises. If it was easy, then users would know, understand and follow corporate policies and guidelines on Compliance, HR and IT Assurance. This would be evidenced with low levels of data breaches and with a reduction in employment related litigation and tribunals. However the reality is that with increased regulation and legislation, organisations have to face up to the big issue of dealing with inappropriate user behaviour.
The old saying “there’s nothing as queer as folk” really does apply in the workplace. However we live in a world where the executive and Boards of organisations are being held accountable for activities arising from bad user behaviour.
The problem areas for the organisation fall into two groups. Those people who have malicious intent and those people that don’t have a clue. There is also the problem with the rest of us that need to be regularly reminded to do the right thing. The solution to the problem is to have a strategy to change the culture of the organisation. No easy feat given the politics and inertia inherent in today’s corporations.
Where to start changing Corporate Governance Culture
The place to start a proper culture change strategy is with the key company policies. Many companies are unaware of the amount of money they are wasting on out of date policies, inconsistent policies or badly written policies. Not only do they undermine the overall Compliance and HR Integrity of the organisation, but they lead to too many failures in employment tribunals, wasted management effort and now fines from the ICO.
Executive Management have to have the collective will and courage to attend to the detail of key policies and be prepared to face down the internal interest groups who see change as more work rather than the mitigation of risk for the organisation.
Accountability is the Key
Aligning employees and trusted third parties with the organisations Security and Compliance frameworks begin with policies. Users must have the option of obfustication removed and were necessary be required to digitally sign key policies. That’s where the corporate courage bit comes in. When people sign something they know they are accountable. Many managers are happy with the loose email and corporate internet approach that leaves the company vulnerable but avoids facing up to the effort involved in culture change.
Rules for Organisational Policies
With most perimeters secure, networks encrypted and devices controlled, the big issue of user activity has to be dealt with.