On Fri, May 21, 2010 at 11:50 AM, Edward Ned Harvey <lop...@nedharvey.com> wrote: >> From: discuss-boun...@lopsa.org [mailto:discuss-boun...@lopsa.org] On >> Behalf Of Brian Mathis >> >> ... >> >> I understand the impulse to get everyone together and be the nice guy >> about this, but you can't. > > The reason why I'm unwilling to simply choose a policy as I see fit, and > cram it down their throats, is because I expect compliance without using > punishment as the motivation factor. This necessitates that people feel > some voluntary commitment and understanding of the rules. People will do > whatever is expedient, unless they know there's a reason not to. > > Whenever punishment is the motivation factor, the response is not to comply, > but to conceal. Just ask anybody with a baby, or any dog trainer. *That* > is what doesn't work. > > At the company where EXE and ZIP and such files are prohibited from > download, people just use their USB sticks, and starbuck's across the > street, to get their job done. > > Thank you for the feedback, but you and I fundamentally disagree with each > other.
You seem to have this idea that the only options are 1 of 2 extremes: either sit around in a kum-bay-ya flower circle and get everyone's chakras aligned with the policy, or hire Blackwater to stand behind each employee and watch for violations. For any security policy, you definitely need to be on the stricter side of the spectrum (especially if coming from no policy), but it doesn't need to be extreme. The problem with big corporate policies is that they are often forced on people with no explanation. If the policy comes with an explanation (or a presentation about the policy that includes the explanations), then people understand the reasons for it and are likely to accept it. That's the reality of how people work, and how you get people on-board. You need to include the impact on the business and consequently their jobs. That's not a threat as if they don't follow it they will be fired, but if major issues cost the business so much money to fix, it could put the company out of business. You are all in the same boat -- it's not you vs. them. That turns the whole thing into "let's all pull together and make sure the business does well" instead of what you seem to only see as threatening and punishing people. The order of how you approach this is important. You need to write up a policy, and then solicit feedback. Make revisions based on that feedback. THAT is what's going to get you buy in from everyone. Handing everyone a blank slate is only going to make them think you don't know what you're doing. As I already said, *you* are getting paid to be the expert, not them. _______________________________________________ Discuss mailing list Discuss@lopsa.org http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
