Security policies only affect IT?
Some think that security policies only affect IT?
I can agree that most organization believe that any security policy is more related to IT than business, but the “entire purpose of having IT/ Security is to protect the business”, getting the company on board, with that statement, is another story (Importance, N.d.). After some research, it stated that “65% of businesses would go out of business if they had to close for only one week due to a disaster or disruption” (CISSP, N.d.). “Every organization's last line of defense in protecting its information from unauthorized access is its employees (IT Security, N.d.)”.
The techniques to use would be to include more departments than just IT. This would educate the importance of security and give them a better understanding. “These policies should mirror your corporate culture and should be in harmony with your demonstrated business practices” (McConnell, N.d.)”.
A few ways to convince management security policies include more than just technical content is to just give them the facts. Let them know that “security is becoming a central concern for leaders at the highest level of many organizations and governments, transcending national borders. Customers are demanding it as worries about privacy, the protection of personally identifiable information, and identity theft grow” (Allen, 2013).
Communicating to the rest of the organization will be a little tricky it was stated in the article Implementing an Information Security Awareness Program, “there are 5 ways to establish an effective segmentation of the audience: Find a current level of computer usage; What the audience really wants to learn; How receptive the audience is to the security program; How to gain acceptance; who might be a possible ally (Peltier, N.d.)”. One example used to gain the “receptiveness” was using something everyone has in common and can relate which was describing “phone card theft and cell phone cloning” (Peltier, N.d.)”. They wanted to establish a common ground. They also did a “walkabout” to determine if computers were locked, desks were locked and if items were secure. Not all companies will have the same policy so before implementing one or trying to create one, work with the supervisors and managers to understand what their organization’s needs are and how the program can help them (Peltier, N.d.)”.
Interacting with other departments should not be an issue, “it should be a goal that both parties strive to maintain” (Cybersecurity. N.D.). It was discussed that interaction with other departments will be based on that specific area. If you are dealing with sales or management, they are not going to care what is being said, “They will not be interested in anything that appears to slow down their already tight schedule as it necessary to possibly demonstrate new controls that will improve processes (Peltier, N.d.)”. Some departments will be “skeptical” and for executive level or departments, it must be brief and have available documentation (Peltier, N.d.).
“Before you can sell the security program to any of the employees, you must sell it to yourself. The employees need to know that information is an important enterprise asset and is the property of the organization (Peltier, N.d.)”.