One of my favorite papers to quote in security talks has nothing at all to do with security: Power, Politics and MIS Implementation. It essentially concludes that executive fiat isn’t effective in getting people to buy into new MIS systems that they find distasteful to use. Forgive the antiquated MIS reference, but we’re talking circa 1983. Back in my IBM 360/370 COBOL days actually.

Today’s security is the MIS of yesterday. To wit, read Employees’ Behavior towards IS Security Policy Compliance whose conclusions are not dissimilar.

In my experience, to achieve voluntary enrollment — which should always be our goal in everything security — security policies must:

• Cite the business motivation behind the policy umbrella ( e.g. “To remain an extraordinary company, we must continually earn our customers’ trust…”)

• Adopt the same tone, voice and legibility as your company’s Employee Handbook. Which usually isn’t designed to scare people into compliance, in case you hadn’t noticed.

• Cite the business rationale, spun positively (e.g. “Like our other software development rigors, secure coding practices are widely recognized as tonic for the reliability of our mission-critical systems…”)

• Recognize that the business knows it’s not always in its best interest for everyone to follow every policy to the letter, and when that inevitably occurs in a  crisis, what to do about it (e.g. “Use your best judgment, after seeking a second opinion unless that’s impossible, and notify the CISO within 12 hours.”)

• State to whom to appeal when a formal request for a policy exception is denied. Even if you know that the requester will have to file six forms in triplicate, have a human tell them that, not the policy.

• If you need legalese-rich preambles (e.g. “This policy changes from time to time, sometimes without prior notice…”) — which I do advise with your Legal department’s oversight — make its text collapsible with those nifty [+] widgets, so readers can get right to the point without having to scroll beneath the fold.

Finally, never stop asking people at all levels how good a job you did at delivering it. If you haven’t sold them in principle, you’re nowhere near done.

I hate it when Toffler wakes me up in the morning. Some things are too damn shocking, and stressful, and disorienting to learn from him early in the day.

“Future shock is the shattering stress and disorientation that we induce in individuals by subjecting them to too much change in too short a time.” –Alvin Toffler

On the upside, I didn’t get a call from the CIA telling me my city was in blackout. Thanks to mindless sociopaths who, I’ll assert, are conceivably responsible for the deaths of newborns and elderly in critical care. That’s no stretch, any more than were the security community’s predictions of crises like these when the Internet first leaned mainstream.

“Our technological powers increase, but the side effects and potential hazards also escalate.” –Alvin Toffler

What are the odds we’ll see lots more like this? Silly question. As Schmidt points out in the article reference above, 85% of critical infrastructure in the U.S. is controlled by the private sector. Not that I needed any supporting data though.

“You can use all the quantitative data you can get, but you still have to distrust it and use your own intelligence and judgment.”  –Alvin Toffler

I’ve said it before and I’ll say it again: Get to know your neighborhood security geek. Or Toffler. They’ve both seen the future.