Policies don't make us secure

Here are ten reasons why security policies fail:
  1. The policies are impracticable or simply unworkable - they get in the way of doing business.

  2. They are so badly written that they literally don't make sense and aren't entirely understood.

  3. They are out of date, irrelevant, inapplicable ... and hence widely ignored.

  4. They conflict in various ways (internally, with other policies and directives or laws and regulations, with reality, with common sense, with good practice, with sound ethics etc.).

  5. People honestly don't know about them, or can reasonably deny knowledge of them, or for some reason don't believe them to be applicable.

  6. The corporate culture is neutral or even toxic towards (policy) compliance - the policies themselves perhaps being presented as mere formalities, the rulebook, red-tape for appearance' sake or to satisfy the auditors.

  7. There are no actual or perceived benefits in compliance, for example little to no chance of being caught and sanctioned for noncompliance, and zero or even negative/begrudging/back-handed 'rewards' for compliance. Cynicism aside, managers and staff are inevitably juggling priorities and don't always get it right. Sometimes, finding themselves caught between a rock and a hard place, it's more a matter of striving for the least bad outcome!

  8. Some people are naturally resistant to or resent doing what they are told, especially if there is no attempt to explain why, or the explanations make no sense to them personally, or if they are facing other pressures, or if they are told in the wrong way, or are simply having a bad day.

  9. People are occasionally misled or instructed to ignore policies, for legitimate or illegitimate reasons (e.g. exemptions for business or technical purposes, to resolve conflicts, cut corners or perhaps commit fraud).

  10. Nobody actually monitors or checks for compliance and noncompliance, nor rewards the former and penalizes the latter, nor makes any real attempt to understand and grapple with the underlying issues, the root causes.
That's quite a litany of issues, yet they are all solvable provided management has the impetus to do so. If not, well that's #6 isn't it?  

The corporate culture (#6) is fundamental to the very concept of policies, compliance and accountability. Although some believe culture to be solely an emergent property of communities, relationships and behaviours, I believe it can be influenced but admittedly doing so is a tough and painfully slow process. The starting point is for management to acknowledge that it both can and ought to be done - which is a job for awareness. Maybe we should add 'Security culture' to our bulging portfolio of awareness topics?

Security policies don't make us secure.  We do.  Or don't, as the case may be.