Turning Policy into Action



Updated October 9, 2023
Now Available
Security for Everyone

A policy, standard, or playbook that sits unloved and unimplemented does nothing for your company’s security.

It’s important to remember that creating these documents isn’t the end of the process, it’s the beginning. From here it’s up to you and your team to ensure that the requirements and processes defined in this document suite are understood, widely known in the team, and most importantly, put into practice across every area of your business.

There is no one-size-fits-all approach to how you do this. Your business and operations will be unique to your context, and so you will need to weave your new security practices through your culture. As you begin to do this, there are a few things you may want to consider that will help maximize your chances of success.

  • Security should not be a block or an obstacle. People (and growing companies) will avoid blockages and obstacles at all costs. It’s in our nature. If your new process or practice is going to slow things down or block something from happening, consider what people may do to avoid it. Instead, work with your teams to explain why the process is needed and what it is trying to accomplish, and then seek their help in finding a solution that won’t cause unexpected detours.

  • Security should be respectful. If you need a team to change their processes or take on new security responsibilities, you need to understand and respect the time and resources you are asking them to commit and the impact it will have on their existing commitments. Without this respect, you may find that conflicting priorities arise and tempers fray as people find themselves torn between too many requirements with not enough resources.

  • Security should be simple and obvious. Whenever you are implementing a process, ask yourself: is this the simplest process that will solve this problem? If it isn’t then keep working on it—security shouldn’t be complex or painful. It should be easy to navigate, understand, and get done.

    Similarly, if your team isn’t finding security tools or processes easy to find or engage with, make them easier and more obvious. It’s not up to your team to work hard to find them—it’s up to us to make security so easy our team can’t help but be involved.

If you found this post worthwhile, please share!