“Why do IT policies fail?” is like a mantra throughout many organizations – from IT asset managers to CIOs and COOs.
If we listened to and took to heart Colin Powell’s declaration – “There are no secrets to success. It is the result of preparation, hard work and learning from failure.” – IT policies would be wildly successful.
First, let’s understand that there are two main behavior factors as to why any IT policies fail. In fact, these both can be applied to why broken rules and/or regulations fail. Failure is assured if both factors are not in-sync and complied with:
- Awareness & understanding. One of the main issues with IT policies is a lack of awareness, followed closely by a lack of understanding. Think about jaywalkers. Everyone knows it’s against the law, but they do it anyway because they think it’s silly to have to cross at the corner. Of course, they could plead ignorance. However, ignorantia juris non excusat or ignorance of the law (if it truly is ignorance) does not excuse the person from being held accountable for violating the law even though he/she is unaware. The same standards should be set for IT policies – ignorance is not an excuse as it’s very likely the employee did see the policy and even signed off on having read and understood it.
- Willingness to comply. People need to be willing to act in accordance with the IT policy. One of the most commonly broken IT policies would be the downloading of “free” software on company desktops and laptops – anywhere from Adobe Reader to iTunes. While common sense and the unfailing media reports of software audits, compliance and piracy dictates that the company has such a policy, people have a “what they don’t know won’t hurt them” attitude. The fact is that people don’t see the harm in downloading free software or apps onto their laptop, desktop or mobile device as harmful. In fact, my bet is that most people see this as a silly IT policy that is meant to prevent distractions and increase efficiency. Therefore, the willingness to adhere to the policy is extremely low.
While both behavior aspects could prove challenging, when people have enough information to justify forced rules – from jaywalking to corporate policies – there are some measures that can be taken to ensure that IT policies do not fail.
Policies should be…….
- Clear and precise: Policies should be easily understood with precise “if/then” directives. If there are regulatory reasons for the policy, those reasons should be included as a justification for said policy. Additionally, if technical support or help desk service may be needed, instructions – including who to contact – should be easily found.
- Easily accessed: Similar to employee benefits, policies should be retrieved without difficulty.
- Unambiguous punitive actions: Looking at industry regulations, laws that govern society and other legal policies, there are always distinct punishments for non-compliance. IT policies should have the same clear-cut reprimand. Without it, IT policies mean little.
Organizations must …….
- Review: Like any industry regulation, it’s a good idea to review your IT policy annually as environmental changes – such as new technology, regulations, and business adjustments – may affect them.
- Communication: One of the biggest reasons why IT policies fail is that organizations do not effectively communicate new or existing policies well nor is there a program that helps to continue to reinforce policy changes.
- Enforcement: Once a policy is broken and the punitive actions are clear, if an organization fails to take action, the policy becomes moot.
- Present a united front: From the highest executive to middle management, it’s important to have everyone on the same page as to the importance of policies. Too often, managers also break the IT policies very publicly. Similar to parenting, executives and managers need to be on the same page by saying and doing the same thing.
Both awareness and willingness to comply as well as the other proactive factors listed above are what organizations should take to determine the policy effectiveness. However, it is important to remember that compliance does not and should not determine the effectiveness of the policy in achieving its goals as it may not accomplish the desired outcome.
Examples of this:
Compliance becomes so costly that it causes more damage or prohibitively adds to IT costs than remedies the issues – such that the costs of compliance are so great that it takes up millions to implement and manage, while giving little back year-over-year. Case and point, while a SAM tool may initially reveal some startling cost savings, you have to consider that against the overall investment (short and long-term). For instance, how difficult is the installation and implementation? Does it require specially-trained consultants? Will these ongoing consultants be involved in an ongoing manner due to the complexity of the enterprise and the software? What’s the cost structure as a handful of SAM tools are modeled after the dreaded annual maintenance cost structure?
Compliance may be possible, but does not adequately achieve the desired objective. Case in point, if the intended goal is to create a strategic IT asset management program that addresses the needs of the enterprise from strategy to tactical, but only the discovery process is implemented, showing some initial cost savings results, the mandate remains unfulfilled. The underlying problem to be solved was not understood well enough to identify the right solution. Therefore, the policy put into effect is not effective. In this case, the policy would only address a small portion of the tactical IT asset management program and very likely leave off vital elements including contract management, disposal, security, regulatory issues, communication and education.
While it is seemingly easier to identity, plan and create IT policies, organizations need to take more care with the procedures, communications and enforcement efforts as well as accountability of its objectives. Think about how many times you’ve downloaded “free” software apps; made or accepted personal phone calls on your company’s mobile phone; or even sent out or received personal emails. It’s likely that one or more of these actions are not acceptable based on your corporate IT policy. Now, ask yourself what you would do if you were responsible for the maintenance and enforcement of the IT policy?
About Martin Thompson
Martin is also author of the book "Practical ITAM - The essential guide for IT Asset Managers", a book that describes how to get started and make a difference in the field of IT Asset Management.
On a voluntary basis Martin is a contributor to ISO WG21 which develops the ITAM International Standard ISO/IEC 19770.
Learn more about him here and connect with him on Twitter or LinkedIn.