Gartner Blog Network

Will your successors throw away your policy?

by Jay Heiser  |  January 24, 2011  |  1 Comment

I spend a lot of my time doing policy reviews. Sometimes the review request comes from the policy author, looking for some feedback. Usually, the request comes from someone else.

One of the first things that many new infosec managers do is start on a policy rewrite.  While this is sometimes a political gesture, meant to establish the authority of a new manager, it is more often done because the existing policy is either obsolete, or poorly written.

Bad policies are counterproductive in multiple ways.  It is usually impractical to follow a poorly written policy, which sends the message to the organization that policies are merely a bureaucratic exercise that can be ignored. In some cases, policies are based on a flawed analysis of risk, requiring employees to unnecessarily restrict their activities in ways that are bad for business. This reduces efficiency, and results in a cynical attitude towards the entire security program.

Policy is often a necessary evil, putting a virtual stake in the ground of employee behavior.  ‘Good’ policy doesn’t guarantee that you will meet your security goals–not by any means. However, ‘bad’ policy will almost certainly lead to a disappointing security (or any other) program.

Make you policy documents something that your successors will want to keep.

Category: it-governance  risk-management  security  

Tags: policy  risk-management  security  security-program-management  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Thoughts on Will your successors throw away your policy?

  1. […] This post was mentioned on Twitter by UK Technology News, Bromley Stone. Bromley Stone said: Will your successors throw away your policy?: I spend a lot of my time doing policy reviews. Sometimes the revie… […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.