By Beth Richard, IAITAM
ITAK V8 I3
A critical success factor for effective ITAM policies and processes is the ability to gain end user support for compliance with the program and its policies. End users resist change, concerned about the inconvenience and the possibility that the change will add to their work load and responsibilities. End users are also influenced by the organizational culture and whether it includes strong or weak policy development and enforcement throughout the organization.
In addition to the end user’s conflicting concerns, ITAM policies and processes can be unpopular for seemingly good reasons. Imagine the ordinary scenario of an ITAM program tasked with reducing expenditures, data loss risk and regulatory failures from lost and stolen computers. This goal leads to a new policy requiring that all hard drives have encryption software. The policy both increases data protection and reduces organization expenditures on lost and stolen computers by a million dollars US per year. However, that data protection encryption inconveniently slows computer speeds and increases computer boot up time. The question is, how does the organization gain support and compliance for this vital new policy when implementation of it is going to have a negative impact on the end user? The policy is unpopular.
In any environment, developing an education and communication plan about policies is the best tool for building end user support and compliance.
The Change Model Perspective
Policy education and communication need to be imbedded in every appropriate opportunity. For instance, projects rely on change management. Change management is the process of ensuring that new practices, such as the use of encryption software, are accepted and used by employees and managers. The change management process involves four steps:
· Overcoming resistance to change
· Managing the transition to the new policy
· Shaping the political dynamics through communication
· Using training and education to understand the new task
Rather than concentrating solely on the minutiae of a change during those steps, add the policy basis for the change and the project in general.
Start Early with New Hires
Gaining end user support for the ITAM program is most easily done during the new hire onboarding process because these individuals are not resistant to change. As a new hire enters the organization, communication and education about the ITAM program and end user responsibilities can greatly increase policy acceptance and compliance by the employee. Onboarding is usually handled by the human resource department; work with them to determine how to advance education and communications about the ITAM program and policies. This can easily be accomplished when the organization has an existing orientation program.
Build End User Involvement
Consider using the end users’ inputs and opinions in the policy development process. End users can contribute to the development of policies in a variety of ways. They can be part of focus groups, provide survey information and be part of the policy development team. Resist the urge to develop a new policy in a vacuum. End users will be more likely to comply with a new policy when they have had a hand in the development and feel ownership for it. In the case of an unpopular policy, like the requirement for using encryption software on all computers, end user involvement aids in the acceptance of the policy and also helps develop the guidelines for enforcement and the consequences for policy noncompliance. End user involvement in the early stages of policy development helps identify the areas for policy exceptions and develop the exception process for noncompliance.
The Political Dynamic of the Organization’s Culture
Building awareness and compliance for a new policy, such as the drive encryption example, may depend on the organizational culture itself. In one organization, the employees may already know the goals of the organization and feel that they are actively participating in achieving the organization’s mission. In this type of organization, from the CEO to the parking lot attendant, every individual knows that completing their job leads to the success of the organization. While in another organization, the employee may have allegiance to the business unit and the goals of the business unit. Determining where the cultural allegiances lie can be a big factor in the successful implementation of an unpopular policy. Gain an understanding of the organization’s culture by observing and listening before implementing a new policy communication and education plan.
Sometimes the strongest influence to end user acceptance is to provide an explanation as to why the policy is important to them. This explanation is often different than the “why the organization needs the policy change.” In the case of the hard drive encryption policy, the organization needs to change to secure data to reduce expenditures due to data losses and conform to regulatory compliance. The organization may win over some end users with this explanation, but it may not be enough to gain full acceptance from all end users. The answer to why a policy is important to the end user may be different. An acceptable answer to an end user could be that the encryption also protects the end user from personal identity theft. The communications and education about the new policy could provide information concerning how the policy prevents identity theft and list ideas for what the end user can do to help. Crafting the reason why the policy is important to the end user can be established during the policy development phase with the end user’s inputs.
Policy Enforcement Measures
How the policy will be enforced should be determined during policy development and communicated across the organization. With unpopular end user policies, enforcement measures may ultimately be the only reason an end user complies with a new policy. In the case of the policy requiring desktop and laptop hard drive encryption, enforcement measures could be that unencrypted computers will not be supported by the help desk or repair technicians until encryption software is installed. Another policy enforcement measure may be procedures for disciplinary action against end users when encryption software has been removed from their system. Enforcement has to be uniform across the organization for it to be a truly effective deterrent against noncompliance.
Managing the Transition to a New Policy
Run a communications campaign simultaneously with the implementation of the new policy. The communication plan should be run like an internal marketing plan. Consider posters in break rooms and other areas frequented by employees. Communicate to employees where the new policy can be found and a contact number for help and information concerning the new policy.
Overcome Reluctance to Training
When the policy or the actions required to be compliant with a policy are unpopular with end users, motivating them to change or even attend training can be difficult. Training about a new policy needs to be mandatory so that all employees attend the training session. The training delivery method should be appropriate but as interesting as possible; something like a short video. Next, require all trained employees to successfully pass an assessment about the policy after training. Passing the assessment demonstrates the employee’s understanding of the new policy and the enforcement measures. Lastly, require an employee signoff on the acceptance of the policy. To enforce this training requirement, include it as part of the employee annual performance review.
End User Feedback
After a new policy is implemented, be sure to request feedback from the end users. Channels for feedback should be part of the training and communication campaigns for the new policy. The feedback should be part of the review process for the new policy. Monitor and analyze the policy’s implementation and acceptance and use that information for the policy review process as well. Feedback delivers new ideas for maintaining the policy across the organization and suggests areas needed for review.
Realistic Expectations, Contingency Plans, and the Exception Process
With the incorporation of any new IT policy, 100% compliance is a lofty aspiration but an unrealistic goal. In some cases, organizational practices interfere with the implementation of a new policy that is supposedly an organization-wide policy. Contingency planning for any exceptions is a must. Consider the example of mandated encryption for all company owned PCs and laptops. What if the organization has business units that have government contracts where employees work on the government site? The government does not procure the end point devices for the business unit. Instead, the devices used are company owned assets until the end of the contract. At that time, a transfer of custody is completed with the government. The business unit is attached as a live segment to the government LAN and the government’s policy forbids any type of encryption product in their LAN environment. A contingency plan is needed that includes an exception process where issues like these can be reviewed by management and decisions handed back down providing further direction. In the case of on-site access and utilization, the company can approach their government customer explaining the new policy and the reasons why the encryption policy has been implemented. If the customer refuses to allow compliance, then a waiver from the customer to the company is required as a contract change holding the customer responsible for the security of those assets while on government property. This mitigates any actions resulting from an asset being lost or stolen on-site. If you can average 90% compliance in this particular case, you have done your job. The big issue is collecting exceptions for the other 10%.