Whilst some of the common or recurring themes that come from the discussions we frequently conduct with organisations may not surprise our readers we have detailed the 6 most common below.
- In many cases a “Big Bang” approach is taken to getting IT Policies in place or refreshed. This occurs approximately every 3 to 5 years. The word “approximately” is used here because this timeframe is not based on some planning or cycle it is typically based on an event or incident occurring that sees someone pick up the policy documentation for guidance to only then realise the content is outdated.
- The author or person last responsible for writing the policies is no longer with the organisation and nobody has picked up or continued this work.
- In instances where someone has been compelled to make some “ad hoc” change or edits to keep content current, it becomes evident that process and procedural elements have appeared in the policy statements suggesting they are not trained in writing policy. Cross referencing to relevant Standards such ISO or PCI is also often limited or non-existent.
- The Business Owner, Directors and Senior Management don’t fully appreciate the investment required to develop IT Policies, apply them and train staff to adopt them so they become an embedded part of the organisations use of IT. The fall-out is that a policy project has limited or no success and cybersecurity risk is still not being adequately addressed.
- Stakeholder buy-in is essential. Policies are designed to protect everyone working with, or for, an organisation – from the top down. Business Owners or Directors need to appreciate how policies can help manage governance, risk and compliance considerations. All users – staff and managers – need a code of conduct for the use of IT systems and data. If an IT Policy project does not involve more than just the IT Department then the likelihood of other management and staff “getting with the program” is very low.
- After developing the policies initially they were filed away at HQ and rarely seen or used. No “visibility” results in no accountability, compliance or adherence to the desired code of conduct. This is further compounded if the organisation is geographically dispersed or de-centralised.
The investment to develop and manage a comprehensive suite of IT Policies in-house on a 3-5 year cycle is significant. Partnering with a specialist organisation in this area can reduce that investment by as much as 70%. Once the Policies are in place – and visible – specialists can then assist the organisation in delivering an education and awareness program which should help embed the desired common direction and control of risk.