Risk is a fascinating thing. Risk is a manmade concept—you will not find risk growing on trees or strolling in the woods or buried deep underground in a seam of rock. Risk is an artificial mechanism that allows humans to process and evaluate dangers, and make “informed” decisions.
Perhaps greater than the concept of risk itself is what it means for the human spirit: while a certain dangerous scenario with a large reward in play might seem completely out of the question for one person, a big risk and smaller reward might very well be worth the risk for another. And, boy, does this manifest gloriously in business!
Tell a twenty-something, reckless entrepreneur they are playing it too risky, and they’ll laugh you off—such is the bravado of those who have nothing to lose. Discuss risk with a head of the family who runs a small local business, and their relationship with risk will be contrastingly different. Reach the big corporate leagues, however, and risk management becomes a top-of-the-list concern.
Along with the size and scope of the business, risk increases in proportion with responsibility. As a business executive of a large (in terms of magnitude and significance of operations, not necessarily employee count) company, you’re no longer interested in just saving your own hide —or, at least, you shouldn’t be. You have a responsibility towards a number of stakeholders: you need to be a provider for your customers, a financial security instrument for your employees, a profit-generating mechanism for your shareholders, and a responsible organization in the broader community. Paraphrasing the famous words of Jack Ma, founder of Alibaba, the “money” merely represents trust put in an organization by the stakeholders.
At that level, having strong I.T. policies is no longer an option—it’s a prerequisite. However, not all business leaders see it that way. This article will serve to shed some light on what I.T. policies represent for businesses, and why they are essential.
What Exactly Is Policy Management?
You’ll hardly find a person—especially a business person—who manifests any sort of excitement when confronted with the word “policy.” For most folks, “policy” is synonymous with “formality.” A bureaucracy thing; a hobby for the tie-wearing, briefcase-carrying humdrums.
It’s difficult to blame the skeptics—policies are often both written and explained in a way that is dry yet elaborate, a combination destined to be boring. The verbosity can be forgiven—it is, after all, designed to help avoid ambiguity. The boredom can be avoided. Let’s try to explain policy in a way that doesn’t require a law degree, nor a stiff drink to loosen us up beforehand.
In essence, a policy is a set of rules and algorithms to be applied in a particular situation. For example, an Incident Response I.T. policy is simply a document that instructs and explains how each member of your company should act should you experience a DDoS attack, or if someone’s laptop gets infected with a virus (or some other tech disaster).
Policies, including those centered on I.T., aim to guide employees in the prevention of and/or dealing with various crises. Some policies are more oriented towards prevention (“waiters must wash their hands before and after touching cash”), while others are specifically designed to tackle problems as they happen (“if there’s a hurricane, Mike grabs the money from the safe, while Jody escorts the employees out”). Prevention policies are meant to instill discipline and order; crisis policies are to make sure everybody knows what to do when things explode.
For the smart business person, a policy is a way to formalize procedures and elucidate the corporate attitude towards risk tolerance. A policy is a way to make sure everyone is on the same page at all times. The ideal is that all situations are expected, and prepared for.
But… It’s Not Like Anyone Actually Reads Them!
Well… In all actuality, you should have a policy requiring every employee to read every corporate policy and acknowledge in writing that they have read it. And if the policy is changed or updated, everyone needs to read and sign again. (I know! Policies within policies… it’s like a Matrix of regulation around here. Where does the madness end?)
Now, while it may be true that some employees will just skim the policy and sign the form, that doesn’t mean that having written policies is not essential. It also doesn’t mean that policies can’t be easy to understand and implement. Either way, employee disinterest or disregard for your policies may illustrate more about how you are approaching the idea of policies in general, as opposed to the policies themselves.
One of the more popular mistakes is forming unrealistic, out-of-touch policies. Such is often the case with “standardized” policies—company executives simply look at other companies for “inspiration,” and make slightly tweaked versions of their policies. This leads to quick, often comical, failures that irreversibly damage the company’s outlook on the entire concept of policy management. I once worked at a company that “borrowed” a policy from a security company requiring employees to change their passwords every morning. As you can imagine, this draconian rule was very unpopular, so no one ever followed it. And guess what? After that, nobody ever took any of that manager’s policy suggestions seriously afterward.
To avoid such blunders, it is necessary to create highly individualized and realistic policies that fit in with your company’s values and processes. The best policies do not revolutionize, they merely formalize the ideas and concepts that already run the organization, clearly assigning responsibilities. If policy comes as a surprise to your management and employees, it is a sign that it’s not in accordance with your company’s foundation and long-term vision (unless the policy is used as a vehicle for a drastic change that needs to be made).
However, issuing policies isn’t enough. With every policy, it is important to allocate additional time and resources to train your employees. It’s great that you want your team to have maximum security passwords—but if they don’t know how to get one, they won’t ever do it.
After training comes monitoring. Take the time to evaluate the effectiveness (and effects of) the policy in action, in the “real world.” Where does the new policy interfere with operations? Do the benefits of the policy outweigh any inefficiencies it is causing? How well have your employees received the new policy? Are they actually following it, or just paying lip service to it?
Now, since this is an I.T. blog, and we’ve already spent most of our time on the philosophy and practice behind policy implementation in general, here is a brief introduction to some of the most important I.T. policies your company should have.
10 Main I.T. Policies that All Companies Should Have
While using standardized policies is a slipshod practice that can be dangerous for the company’s long-term well-being, there are certain areas of I.T. for which every company should have strong policies. The policies themselves need to be individualized based on your company’s risk tolerance and organizational structure; the areas themselves are universally important. They are:
- Acceptability Use Policy. Instructs your employees on how (and how not) to use technology and I.T. solutions.
- Security Awareness. Instructs management on how to educate employees on security issues.
- Information Security. Instructs your employees on how to keep your company’s data assets safe.
- Disaster Recovery/Business Continuity. Instructs all company members on how to act in worst-case scenarios to keep the business functioning.
- Change Management. Instructs all business departments on how to handle and monitor organizational change.
- Incident Response. An incident-specific set of protocols on how to tackle the problem.
- Remote Access. Rules that ensure security when systems are accessed by remote employees or outside contractors.
- BYOD (Bring Your Own Device). Technical requirements for employee-owned hardware and software.
- Vendor Access. Rules that define how much (and what type of) information a third-party vendor will have access to.
- Data Retention and Backups. Standards and protocols on data storage and processing.
After digesting this list, when you are ready to learn more about how we can help you implement these and other technology policy and compliance practices—and how doing so can save you money, actually reduce costs, and reduce risk (hey, look! We brought it back around to where we began!)—call us at 844-44-JMARK, or email [email protected]com.
