Why do IT security and IGA policy makers and managers have different perceptions of reality than the policy constituents? In our opinions, it’s all about intentions and motivations.
The main intention of policy makers is to protect the resource, like data access, device from abuse, physical entrance to the room, etc. But what is the motivation behind the policy intention? For some people, like CISO, it’s a part of the job description. For others, like a compliance officer, it’s a part of government or industry regulations (HIPAA, SOX, etc.). For most business subject matter experts, the biggest motivation is dictated by business goals: save money, 100% utilization of people and resources, etc.
Policy constituent intentions are different. Typically, they want to get to the finish line as fast as possible with the smallest number of steps. The finish line for people can be different–closing the sale, finishing tests of the software program or writing a report and so on, but all want to cross it. If there’s no policy prohibiting cutting certain corners to speed up the process, then there’s a high probability it will happen. Why? Because the motivations of the constituents aren’t the same as those of the policy maker: get a promotion, make more commissions and bonuses, be on time for the off-work activity etc.
The motivations have nothing to do with motivations of policy makers; or even with enterprise goals (note: making more commissions and especially bonuses do not necessary mean company will make more money or promote the business). Motivations trigger intentions, and since intentions create more deviations from policies, they increase Costidity™, i.e. the cost of the human factor for the enterprise.
Here are three recommendations you can begin implementing:
- Have an honest conversation with policy makers and policy constituents about their real motivations and intentions
- Analyze the intentions and create a plan of working with people in your organization and its universe (partners, customers, vendors, etc.) to steer intentions into the right direction by using a people-centric approach in building policies and processes
- Re-evaluate the company goals and effectiveness of the campaign to deliver them to the policy constituents. Honesty and openness are your two best friends