Gartner Blog Network

Counterproductive Policies

by Jay Heiser  |  February 18, 2011  |  1 Comment

I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again.

Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” How can that possibly be productive in improving morale or reducing the propensity to engage in inappropriate behavior? If the institution wants employees to follow a certain line of action, then they must support them in making effective decisions. If the corporate counsel’s office doesn’t know what the law requires, then it makes no sense to demand that employees follow the law.

A second form of counterproductive policy is typified by words such as ‘may’, and ‘as required’. “…shall take the necessary actions.” is a thinly veiled way of saying “We know we are missing something important, so we reserve carte blanche to interefere with your life in the future.”

Recognize that there are an infinite number of bad things that could occur, and that policy can do very little about it.  Concentrate instead on practical and specific requirements and clear lines of responsibility.

Treat policy as a communications mechanism to improve employee willingness and ability to protect the enterprise. Do not use policy as a way to dump your risk on somebody else’s lap.

Category: it-governance  risk-management  security  

Tags: policy  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Thoughts on Counterproductive Policies

  1. […] This post was mentioned on Twitter by Keith Ricketts and UK Technology News, Bromley Stone. Bromley Stone said: Counterproductive Policies: I do a lot of policy review for Gartner clients, and I see many of the same counterp… […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.