malicious-security-complianceIs your team following security rules without thinking about their consequences?

Rules are meant to be followed, right? Why else have them? But if your team is accustomed to following rules without thinking about their consequences, you might be risking more than you’d think.

For example, think about a company attendance policy:

Imagine you had a boss who held you accountable to the attendance policy of working the hours between 9 am and 5:30 pm with a half hour for lunch at noon.

One Monday you missed your bus and were 15 minutes late. Your boss comes over to your desk and gives you a warning. No excuses. You were planning to make up those 15 minutes at the end of the day and apologize for the tardiness—you even decided going forward, you would take the earlier bus just to ensure this didn’t happen again.

But when your boss scolded you without listening, it completely pissed you off. You decided you’d arrive on time, but when your new 5:30 PM timer went off, you were out the door. No exceptions.

In this example, the policy was clear, but the enforcement became problematic.

Enforcement, which was aimed at team cohesion (everyone being in the office the same hours) ended up destroying the very thing it was trying to create.  That’s something important to think about: when you put the policy in practice you have to deal with the consequences of enforcing the policy on a team.

I know that a work hours policy might be a simple example, but what about other really important aspects of your business? What about security policies?

You might have a problem on your hands if…

  • Your policies frustrate or annoy your team
  • No one understands WHY they are complying in the first place
  • The rules seem arbitrary

You may get your employees to comply to something. They may follow your rule exactly. But are you confident of the results?

I want to challenge you to start approaching security compliance from the vantage point of your users.

Yes, you already know WHY they need to comply to different policies. But they might not. How can you help them understand WHY? What if you could take it a step further and get them to WANT to participate in your compliance program?

This means educating your users regarding policies, and then energizing them to follow them.  What does this mean?  It means getting them on board with compliance in a meaningful way.  This means realizing consequences, NOT just following a rule just for the sake of it.

If you create the rules and enforce them to the ‘t’. you risk those rules backfiring. If a policy wasn’t thought out enough to really protect your business and you strictly enforced that rule, you risk having a team pointing to the faulty policy if something terrible happened with that policy in place.

There is a name for this: malicious compliance. When you follow bad rules exactly as a means to point out the problem with the rule.

Malicious compliance puts your business at risk of more than just a bad culture. It could be creating confusion around vital security policies.

This is EXACTLY what cyber hygiene testing is supposed to do.  Get them to see what is at stake.