There are 3 reasons your staff will read your policies, and not blindly sign, or click to say they’ve read and understood:
They are coming after you, and they want to see what they can use against you
You have made it known that you are coming after them, and they want to defend themself
You made them - but they’ve really only made the right reading sounds, to convince you they’ve read it
Part of corporate governance is to have a policy set that lays out the expectations and requirements of a process, or an action. Part of compliance, and audits is to say x% of people have read the policy. Policies are written in the same way as legal contracts, terms and conditions, and those things we tick to say we consent to something. They are not written with accessibility in mind. They are written with ass covering in mind.
Most policies are for internal use only, but there are a few out there in the public domain. I make it my business to read policies, or try to. At best, I’ve seen a one pager, at worst I’ve seen a 37 pager, for example UK Cabinet Office Government Security Classifications. Do you honestly believe that your staff have read and understood anywhere between 1-37 pages of words written by someone, in inaccessible english?
Let’s just look at the executive summary of the Government Security Classifications:
This policy describes how HM Government classifies information assets to: ensure they are appropriately protected; support Public Sector business and the effective exploitation of information; and meet the requirements of relevant legislation and international / bilateral agreements and obligations.
I did a quick search for the policy’s definition of information asset. Nope. Doesn’t exist. The executive summary does state “It applies to all information that government collects, stores, processes, generates or shares to deliver services and conduct business, including information received from or exchanged with external partners” so let’s assume this is an information asset.
An interesting exercise for us all would be to go and ask your parents, or kids what an information asset is. It might mean something to us compliance flag wavers, but does it mean anything to the average person? I’ll let you answer that following the questioning of your family.
The next “what does that mean?” I’ll look at “is relevant legislation and international / bilateral agreements and obligations.” I’m sorry. What now? Remember, this is from the executive summary. This policy has been created for use by Government Departments and Agencies. That includes every single person within the department or agency. That is the Chief Exec, to the receptionist, and everyone in between. This policy also applies to the government supply chain, who may never have heard the words used within the civil service, or public sector.
I could pick that opening paragraph to pieces, looking for definitions to each word, but the answer would be the same. Nope. Not there. So, let me ask you; if we can’t understand the executive summary, can we expect anyone to honestly sign or tick to say they have read and understood? In the world of marketing, you have 3 seconds to engage someone in your content, or they’ll scroll on to the next cat meme. When it comes to policy, the expectations and requirements of a process, or an action, why are we dead set on making them unengaging, impossible to understand, or to follow?
Policies, as they stand, are reference materials that must be re-reviewed, not only when we make changes to them, but when we need to carry out a process or action. I wonder if your company is tracking how many times a policy we re-accessed, vs how many people, when forced to, have clicked to say they’ve read and understood?
I know, the minimum requirements for compliance is that staff read and certify that they have read. I know this is all you need to meet your employment law, regulatory and legislation requirements, but is that enough? Consider the sheer volume of policy violations your incident response team are handling each day, week, month, quarter, year. From my experience, these make up a huge amount of the incident root cause statistics. Imagine if you invested in engaging policies, that made sense, and were engaged with regularly. Think of the reduction in effort of resolving policy violation incidents. Think of the reduction in incidents. Think of the time your incident team could spend on other things!
This is where a strong security awareness, behaviour and culture change programme can help. By having people in your compliance or security team who can translate 37 pages into something useful, a crib sheet, or quick reference guide!
While this isn’t the sexiest thing you’ve ever seen, this graphic condenses 37 pages of policy into a desktop wallpaper, or quick reference guide. It gives the viewer an “if this then that”, or action steps on how to follow the policy. This kind of thing can be whipped up for any manner of policy. It is as simple as a “do this, don’t do that, ask if you want to do the other”.
The 37 pages can still exist if you need it to, although I urge you to not need it to! 37 pages of policy forms no more than a tick box exercise, and let's be honest, the author, reviewers, approvers and publishers don’t even remember what the 37 pages consist of, so it's almost unenforceable.
Unfortunately, security behaviour and culture change programmes are a thing for forward thinking CISOs and security teams, while the average security budget allows for security awareness as a compliance project, at best. But what we aren’t considering, when we spend time and budgets on policies, or tooling, or policy managers to house our 37 page policies, is that with an investment in security awareness, behaviour and culture change programmes, you can significantly decrease the cost to respond to policy violation related incidents. You can answer the question “I confirm I have read and understood - but do I?” with a yes.
Security behaviour and culture change programmes aren't just “a nice to have”. They are how you translate the inaccessible into accessible, actionable, compliant, boring security stuff into something your staff can digest, and that makes a difference to how much time, money and effort is exhausted in incident response.