One of my favorite papers to quote in security talks has nothing at all to do with security: Power, Politics and MIS Implementation. It essentially concludes that executive fiat isn’t effective in getting people to buy into new MIS systems that they find distasteful to use. Forgive the antiquated MIS reference, but we’re talking circa 1983. Back in my IBM 360/370 COBOL days actually.

Today’s security is the MIS of yesterday. To wit, read Employees’ Behavior towards IS Security Policy Compliance whose conclusions are not dissimilar.

In my experience, to achieve voluntary enrollment — which should always be our goal in everything security — security policies must:

• Cite the business motivation behind the policy umbrella ( e.g. “To remain an extraordinary company, we must continually earn our customers’ trust…”)

• Adopt the same tone, voice and legibility as your company’s Employee Handbook. Which usually isn’t designed to scare people into compliance, in case you hadn’t noticed.

• Cite the business rationale, spun positively (e.g. “Like our other software development rigors, secure coding practices are widely recognized as tonic for the reliability of our mission-critical systems…”)

• Recognize that the business knows it’s not always in its best interest for everyone to follow every policy to the letter, and when that inevitably occurs in a  crisis, what to do about it (e.g. “Use your best judgment, after seeking a second opinion unless that’s impossible, and notify the CISO within 12 hours.”)

• State to whom to appeal when a formal request for a policy exception is denied. Even if you know that the requester will have to file six forms in triplicate, have a human tell them that, not the policy.

• If you need legalese-rich preambles (e.g. “This policy changes from time to time, sometimes without prior notice…”) — which I do advise with your Legal department’s oversight — make its text collapsible with those nifty [+] widgets, so readers can get right to the point without having to scroll beneath the fold.

Finally, never stop asking people at all levels how good a job you did at delivering it. If you haven’t sold them in principle, you’re nowhere near done.