Intelligent CISO Issue 14 | Page 64

Balancing enforcement and business productivity At this point, it seems a significant problem is that many employees don’t fear breaking policies. When they aren’t enforced and the consequences of defying them have not been communicated, what is there to fear? However, no policy has ever been made to be broken and with increasingly fewer people following the restrictions and regulations, it is only becoming more complicated or costly to enforce them. On the flip side, it’s possible that it could be security teams who are complacent when it comes to enforcement. 64 It’s imperative that businesses educate their employees about the growing cyberthreat to reduce the risk that they fall victim to an attack. A set of policies might be put in place to appease executives or board members but an IT team not supportive of the initiative could have no actual intention of implementing them. Another possibility is that inconsistencies in enforcement create a situation where no enforcement seems like a better decision. Imagine a situation where one employee was written up for using a non-approved cloud storage platform but he/she knows that numerous other employees are also using it and aren’t being punished. This would serve only to create resentment towards the security team and would Issue 14 | www.intelligentciso.com