Tips for Communicating Security Policy Changes

March 9, 2023 | By IANS Faculty

Communicating the existence of new policies and changes to existing ones is a critical part of policy lifecycle management. This piece explains the importance of developing and implementing a policy communication plan with clear, concise language that includes multiple communication channels and is tailored to the audience.

Establish a Clear Security Policy 

Policies and standards should be regularly updated to address the changing nature of business and technology threats. But when these documents change, it’s also important to communicate these changes in a way employees easily understand. A communication plan can help ensure the right messages get to the right people in a timely and efficient manner. 

Clear communication about a new or changing policy starts with a clearly written policy or standard. Documents should be easy to read and understand, which means using clear language and avoiding technical jargon. Requirements should be unambiguous, measurable and actionable. A few components of a well-written policy include:

  • Clearly stated objectives: A policy or standard should provide clear and measurable goals for compliance. Avoid weak or ambiguous language that could be misconstrued, including “should” or “may consider.” The rules are only as strong as the text that expresses them.
  • A clear scope: The policy should also clearly define the scope of who is affected. This includes individuals, departments or organizations. Be clear who is accountable for policy implementation, monitoring and enforcement. Describe roles and responsibilities in a way that ensures everyone involved understands their individual requirements.
  • Consequences: Communicate consequences of policy violations in relation to disciplinary action.

Don’t forget there may be important considerations when implementing a policy or standard, including legacy technology or budget and resource constraints. A well-crafted policy helps employees understand their role in securing the organization, but it also aligns with realistic implementation expectations and timeframes. Ensure you have an exception process that allows for these situations but also informs senior management where policy has not been implemented. Too many exceptions may mean a policy is over-restrictive or unrealistic.

READ:  Build a Stronger Security Culture with a BISO 

Create a Security Policy Communication Plan 

While you may think the policy itself can serve as the primary communication, this usually is not the case. Policies can be lengthy and full of boilerplate language that can be difficult for people to quickly understand and digest. If policies are updated frequently, it may also be hard for employees to keep track of changes. A more effective approach is to develop a communication plan that details which employees you will communicate with, what you will say to them and what method you will use to communicate.

A communication plan helps ensure timely and efficient dissemination of information and can help prevent misunderstandings among departments or individuals. A clear and structured process also helps ensure the right people understand new or changing requirements as quickly as possible.

A good communication plan considers:

  • Who is the audience? Before drafting any communication, identify who the policy or standard applies to. For example, is this policy relevant for all employees or just a specific department, such as IT? If something has a narrow audience, communicating requirements too widely may cause confusion with other areas of the company.
  • What is the message? Communications about policies should be clear, concise and tailored to the audience. Emphasize why policy compliance is important and how it benefits the organization. Try to summarize changes in a few bullet points. Sharing the rationale behind changes may help alleviate concerns and improve the acceptance of a change.
  • How should you communicate? Once you understand the audience, consider which communication methods to use. Email may be a good option for simple messages that need to reach a wide audience quickly, but security training and awareness campaigns might be necessary for complex topics that require many employees to change their behavior. Don’t rely on a single communication channel for bigger changes. Instead, use a combination of channels such as email, intranet, employee meetings or posters to reach as many employees as possible. Enforcing the message through multiple channels helps increase the chances it will be received and understood.

After a policy has been communicated, establish metrics to measure whether employees understand the requirements and are compliant. This can be done through surveys, focus groups or exception requests.

READ: Create a Security Charter Committee to Align with the Business 

Avoiding Communication Issues 

Communication with large groups of employees can be challenging. Many people have busy schedules and other requirements they need to follow to perform their jobs effectively. Start by storing policies in a central location so employees can find them easily. This could be on the company’s intranet site, shared drive or policy library. Many GRC tools provide policy libraries for storing and distributing documents, and they can also help with version control.

Other common issues include:

  • Not retiring documents: Policies should be retired when they are no longer needed. Make sure policy owners know when a policy is no longer applicable. Then, use the same approval process to retire the document that was used to ratify the original document. Keeping too many legacy policies around can cause confusion and make the overall policy program seem irrelevant.
  • Missing key stakeholders: Policy owners should make sure policy changes are communicated as widely as necessary. But key stakeholders may need special attention to understand how policy changes will impact their daily operations. Involving these key stakeholders during the drafting stage of a policy helps ensure better buy-in upfront.
  • Policy drift: Small edits can eventually introduce drift, where the meaning of a policy gradually changes or becomes confusing or even contradictory. Make sure “minor changes” don’t have unintended repercussions by creating a regular review cycle that looks at the entire document holistically with fresh eyes.

By clearly articulating expectations, policy owners can help ensure employees are informed about policy updates and can easily access the information they need.

Guidance for Communicating Security Policy Changes 

Communicating policy changes is an important part of policy lifecycle management. Take the time to develop and implement a communication plan with clear, concise language that includes multiple communication channels. To be the most effective, remember to:

  • Keep messages short and clear: Make it easy on the recipient by avoiding jargon and acronyms. Just like a good policy is written clearly, your communication about the policy should also be clear, concise and timely.
  • Retire legacy documents when they become out of date or are no longer needed: Don’t bury new requirements in a pile of legacy documents.
  • Align communication of the policy to the policy itself: Complex requirements that demand change on an organizational level need to have a corresponding level of communication planning. Build requirements into training and awareness campaigns and enforce requirements through multiple communication channels.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Access time-saving tools and helpful guides from our Faculty.

IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Get New IANS Blog Content
Delivered to Your Inbox

Please provide a business email.