When considering the implementation of security policies, an organization must also consider how employee behavior often varies depending on whether the organization uses a flat or hierarchical management structure.
In flat organizations, there are less layers between management and employees so decisions and problem solving generally happens faster and at a lower level. Smaller organizations tend to be flat and often exhibit looser or more relaxed relationships between managers and employees since they overall work more closely together making decisions and running their area of the organization. This often results in a decentralized management structure where employees might have more leeway in their behavior and the application of policies might be more relaxed. Application of policies is more direct with the decision on how policies are applied and enforced is done on a lower level.
With flat organizations, managers are much closer to lower levels which tends to give them an increased span of responsibility, and oversight of a wider area of the organization. With this wide span of responsibility, it becomes difficult to escalate every issue to higher management for resolution, which forces managers to make quicker, and sometimes inconsistent decisions. This inconsistency can be a problem with information security, for example, conflicting statements and enforcement between front-line and high level managers. This is why clearly defining security policies in a flat organization is of paramount importance
Hierarchical structures are usually a necessity in large organizations. Senior leadership is more detached from lower level employees by several layers of management which results in a different dynamic than is found in flat organizations. The application of policies is more abstract with lower level employees seeing policy decisions as coming from on high. Application and enforcement of policies is more formalized throughout the structure with policies being constructed by high level managers, and enforced throughout lower levels. This often results in employees following policies more out obligation and with a sometime sense of apathy, rather than a sense of belonging found in smaller work units
Hierarchal organizations have the challenge of enforcing policies consistently because of the disconnect between lower and higher levels of the organization which can result in a reduced sense of accountability. High level managers responsible for constructing policies must take a proactive approach and lead by example to emphasize the importance of following policies. Additionally, there is a greater number of touch points and personalities that must be engaged when implementing policy. As the number of touch points increases, the more complex the relationship matrix becomes.
Other considerations include employee apathy which often manifests through an attitude of just going through the motions, or by just doing the minimum to get by. Well-defined security policies recognize that there will always be a certain level of apathy and non-compliance towards policies, and seeks strategies to reduce apathy and compliance issues. The following are strategies to overcome apathy towards security policies:
- Engaged communication. Leaders should make a conscious effort to listen and understand reason for worker apathy. Policy should be adjusted as a way to demonstrate that workers concerns are important.
- Ongoing awareness. The message of value and importance of information security should be continually reinforced. Awareness can be an effective measure against apathy.
- Set expectations. Monitor compliance and enforce accountability.
- Create layers of redundancy. Avoid reliance on single points of failure such as one person or one technology.
- Reward compliance. Recognize individuals and groups who model desired behavior. Something as simple as public recognition from an executive can be effective.
Coy, C. (2013, March 17). Office Hierarchies – Which One Is Best for Your Business? Retrieved September 4, 2017, from https://www.cornerstoneondemand.com/rework/office-hierarchies.
Elmy-liddiard, M. (2002). SANS Institute InfoSec Reading Room. Building and Implementing an Information Security Policy. https://www.sans.org/reading-room/whitepapers/policyissues/building-implementing-information-security-policy-509.