Security Teams Must Better Collaborate with Employees to Create More Effective Policies, Says Info-Tech Research Group

Security success comes from employee input and enhanced training on policies.

TORONTO, Nov. 21, 2022 /PRNewswire/ - As data breaches and security incidents continue to increase, research indicates that security policies do not shape good employee behavior or security-conscious practices. To assist security leaders in enhancing their overall security posture with a defensible and prescriptive policy suite, global IT research and advisory firm Info-Tech Research Group has published a new industry blueprint titled Develop and Deploy Security Policies.

Adhering to security policies is rarely a priority to users as compliance often feels like interference with daily workflow, and for many organizations, these policies do not have the desired effect.

"A policy for policy's sake is useless if it isn't being used to ensure proper processes are followed," says Danny Hammond, security research analyst at Info-Tech Research Group. "A policy should exist for more than just checking a requirement box. Policies need to be quantified, qualified, and enforced for them to be relevant."

Info-Tech's research shows that employees are not paying attention to policies, which could be due to a lack of awareness and understanding of the security policy's purpose, how it benefits the organization, and the importance of compliance when policies are distributed. Furthermore, informal, un-rationalized, ad hoc policies do not explicitly outline responsibilities, are rarely comprehensive, and are difficult to implement, revise, and maintain.

The blueprint explains that creating good policies is only half the solution. To nurture an effective security policy and increase engagement, organizations must make a concerted approach to developing a policy lifecycle that involves stakeholders from development to deployment, review, and monitoring.

"No published framework is going to be a perfect fit for any organization, so take the time to compare business operations and culture with security requirements to determine which ones apply to keep the organization secure," explains Hammond.

Info-Tech's blueprint outlines a policy management lifecycle that will enable leaders to keep policies current, effective, and compliant. The recommended lifecycle includes four key steps:

1. Define Security Policy Program: Generate a roadmap to guide the order of policy development based on organizational policy requirements and the target audience.
   
   
2. Develop and Implement Policy Suite: Policies must be reasonable, auditable, enforceable, and measurable. Policy items that meet these requirements will have a higher level of adherence.
   
   
3. Communicate Policy Program: Awareness and training on security policies should be targeted and must be relevant to the employee's job. Employees will be more attentive and willing to incorporate what they learn if they feel the training was designed to help them.
   
   
4. Measure Policy Program: Gaining feedback on policy compliance is important for updates and adaptation, as well as monitoring policy alignment to business objectives.

According to the research and expert insights, while management support is essential to initiating a strong security posture, allowing employees to provide input on the development of security policies will lead to easier incorporation of the policies into the daily routines of workers, with less resistance. The security team will also be viewed as less of an enforcer and more of a partner.

For more insights, download the Develop and Deploy Security Policies blueprint.

To learn about Info-Tech Research Group or to download the latest research, visit infotech.com.

About Info-Tech Research Group
Info-Tech Research Group is one of the world's leading information technology research and advisory firms, proudly serving over 30,000 IT professionals. The company produces unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. For 25 years, Info-Tech has partnered closely with IT teams to provide them with everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

Media professionals can register for unrestricted access to research across IT, HR, and software and over 200 IT and Industry analysts through the ITRG Media Insiders Program. To gain access, contact [email protected].

SOURCE Info-Tech Research Group

WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?

440k+
Newsrooms &
Influencers

9k+
Digital Media
Outlets

270k+
Journalists
Opted In

GET STARTED