Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

Counterproductive Policies

by Jay Heiser  |  February 18, 2011  |  1 Comment

I do a lot of policy review for Gartner clients, and I see many of the same counterproductive practices over and over again.

Requirements to ‘do what is appropriate’ or ‘obey the law’ are tantamount to saying “we won’t tell you specifically what to do, but if you don’t do it, we will punish you.” How can that possibly be productive in improving morale or reducing the propensity to engage in inappropriate behavior? If the institution wants employees to follow a certain line of action, then they must support them in making effective decisions. If the corporate counsel’s office doesn’t know what the law requires, then it makes no sense to demand that employees follow the law.

A second form of counterproductive policy is typified by words such as ‘may’, and ‘as required’. “…shall take the necessary actions.” is a thinly veiled way of saying “We know we are missing something important, so we reserve carte blanche to interefere with your life in the future.”

Recognize that there are an infinite number of bad things that could occur, and that policy can do very little about it.  Concentrate instead on practical and specific requirements and clear lines of responsibility.

Treat policy as a communications mechanism to improve employee willingness and ability to protect the enterprise. Do not use policy as a way to dump your risk on somebody else’s lap.

1 Comment »

Category: IT Governance risk management security     Tags:

1 response so far ↓