Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Will your successors throw away your policy?

by Jay Heiser  |  January 24, 2011  |  1 Comment

I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else.

One of the first things that many new infosec managers do is start on a policy rewrite.  While this is sometimes a political gesture, meant to establish the authority of a new manager, it is more often done because the existing policy is either obsolete, or poorly written.

Bad policies are counterproductive in multiple ways.  It is usually impractical to follow a poorly written policy, which sends the message to the organization that policies are merely a bureaucratic exercise that can be ignored. In some cases, policies are based on a flawed analysis of risk, requiring employees to unnecessarily restrict their activities in ways that are bad for business. This reduces efficiency, and results in a cynical attitude towards the entire security program.

Policy is often a necessary evil, putting a virtual stake in the ground of employee behavior.  ‘Good’ policy doesn’t guarantee that you will meet your security goals–not by any means. However, ‘bad’ policy will almost certainly lead to a disappointing security (or any other) program.

Make you policy documents something that your successors will want to keep.

1 Comment »

Category: IT Governance risk management security     Tags: , , ,

1 response so far ↓