SUCCESSFUL IMPLEMENTATION of information security policies starts before the policies are even written. Implementation depends on how well the policy is integrated into existing business processes and how well it is understood and embraced by leadership and employees. Implementing information security policies often results in putting in controls that slow the exchange of data. Creating, implementing, and maintaining adequate security control can seem burdensome, but is entirely necessary. Successful implementation of policies, therefore, must be viewed as a journey from conception to implementation. You must start with engagement, with creating awareness within the organization, and by building consensus on the need to implement the policy. As difficult as the technological side of information security can be, the human side, because it’s so unpredictable, can be even more challenging.

Once a security policy is created or revised and agreed upon, the implementation process starts. The process of implementing security policies can be harder than creating the document itself. You should not underestimate this effort. Implementing security policies successfully takes a combination of soft skills in dealing with human nature and company culture and hard skills in project management. The number of tasks and considerations can seem overwhelming. It’s important to take a systematic approach that keeps the implementation moving forward and supporters engaged.

A new policy or one that changes a common operation can make implementation difficult. Resistance to a policy viewed as restricting some necessary or desired operation can occur. Ensuring all personnel are informed and educated on the new or changed policy is critical. Educating personnel on policy issues is one of the more challenging aspects of policies.

Security policies specify ways to control risk and reflect the core values of the organization. This means security policies are as much about promoting a risk-aware culture and motivating workers as they are about implementing technical business requirements. Therefore, it’s important to keep in mind that a successful implementation must motivate, gain consensus, and compete with an individual’s priorities. Gaining executive support is one of the keys to success. This means you must be able to communicate the value of the security policies. You must be able to explain why the business and individuals should care. This takes skill in influencing others and marketing the value of the security policies.

In this chapter, you will review many of the issues and problems faced when implementing security policies. The chapter gives pointers on how to overcome these challenges and how to deal with human nature in the workplace. The chapter also gives guidance on how to manage security policy changes in your organization.