Top-Five Practices for Changing Security Policies

As the cyber threat landscape intensifies, cybersecurity programs must evolve to protect your organization’s mission. To manage this continuous cybersecurity evolution, five key security program change management practices should be followed:

1. 1. Identify and engage business stakeholders impacted by security risks.

As new cybersecurity risks are identified, impacted stakeholders should be actively engaged in potential policy changes to address each risk. This may slow the process at the outset, but it will save time and effort in the long run by preventing rework to unforeseen circumstances that these stakeholders are sure to raise. Furthermore, stakeholders involved in policy changes are more likely to support and promote these changes to key constituencies.

2. 2. Conduct a business impact assessment.

Prepare a business impact assessment to evaluate the impact of a policy change on the organization. This should include a detailed evaluation of the current risk exposure and the costs and business impacts of the change. Developing the impact assessment forces the team to think methodically through the appropriate risk/cost tradeoff and make the appropriate business decision. Ideally, this process is facilitated by the security organization. This business impact assessment promotes stronger organizational support for the change and is the foundation for risk-based discussions and decision making.

3. 3. Obtain business support to promote policy changes.

Executive buy-in is essential to the long-term success of any significant change, including enhancing the security posture of an organization. Having executive champions, demonstrate decisions are driven from the top, not the security team. Users are more likely to adopt changes embraced by their leadership. This can only happen if business leadership is engaged in the decision making as described in practices 1 and 2 above.

4. 4. Communicate the new security policy change.

Before, during, and after security policy implementation, communication to users, operational groups, and management must be carefully planned and delivered. Utilize multiple communication methods to reach target audiences and raise awareness of the change. Cascading communications from managers to individual contributors is most effective. Communication messages should describe the change, its benefit, and what users must do differently. Distribution should be timed so users can learn and adjust to the new policy. However, too much time can be harmful, as the message is lost before the change is implemented.

5. 5. Reinforce changes with security awareness.

Plan follow-up communications to reemphasize policy changes and to provide updates to the implementation. Communicate common issues to help others facing similar problems. Praise users for the success of new policy adoption, reinforcing their behavior and setting a standard for future policy changes. Security awareness campaigns often include monthly newsletters or periodic reminders about phishing and appropriate, secure user practices. Leverage these existing security awareness programs and materials to reinforce the change and its adoption throughout the organization.

Following these practices will improve the implementation of your policy changes and result in an enhanced security posture. For more information on cybersecurity, please click here.