When is enforcement of security policies effective? When it serves as an enabler of the right behavior.
See Also: Threat Intelligence - Hype or Hope?
For that to happen, generally three conditions need to be met. First enforcement has to be visible, meaning the workforce has to be aware of it. Second, it needs to be meaningful, meaning there has to be a real consequence. Lastly, it needs to be persistent, meaning it has to be visible long enough to shape new behavior. It also helps if the action taken is considered fair.
A security incident or even a lapse of judgment, depending on circumstance, should not be grounds for automatic dismissal.
So how does employee termination as an enforcement action stack up against these criteria? The reason I ask this question is twofold.
In recent months, when talking with folks about security incidents and breaches, a common theme that has repeated itself over and over again is that termination of an employee was often the action taken in response to a breach. But when I asked if that had stemmed the number of incidents, the answer generally was, "only temporarily" if at all. And in my experience over the last 20 years managing security, I've seen that terminations have not been as effective as one might expect in long-term behavior modification.
Termination has personal, professional and financial consequences. It alone may actually modify behavior for those aware of what happened. If the goal is to remove the person involved, then it is effective. If the goal, however, is long-term change, then termination alone is not likely to achieve that result and might actually be counterproductive. This is only accentuated by our short attention spans.
For an action to change behavior it must be visible, meaning others must be aware of it - not only that it happened, but the circumstances that led to it. This is problematic because many organizations are hesitant to discuss, let alone publicize, punitive actions. As a result, only a few employees may be aware, and depending on their perception, the story told to others may be skewed.
Also, termination eliminates any opportunity for the person punished to become a learning vehicle for others - someone who can say from experience: "That's not something you want to be doing." The finality of termination can also work as a negative, as we lose a valuable resource without the benefit hoped for, while placing additional burden on those left behind.
Behavioral change is helped by learned retention, and termination has a short shelf-life when it comes to retention.
Termination, as we said earlier, eliminates certain awareness opportunities for long-term learning because the person punished is gone and the people involved don't discuss it. Individuals who have been punished, but remain in the workforce, can testify to others firsthand that certain behaviors are destructive. In fact, individuals that are given a second chance can become positive influences with peers -particularly if they perceive the consequences they're handed were fair.
Don't get me wrong, termination is still an appropriate consequence depending upon the circumstances. It should be reserved, though, for the repeat offender, the individual who shows a total disregard for the rules, the person who seeks to harm another, or the most egregious incidents. But it should not be a standard response for every privacy breach in which an employee had some responsibility.
Privacy and security are everyone's responsibility. You hear this over and over again, yet organizations are reluctant to set privacy and security performance criteria for their workforce. Why?
In government, employees who handle sensitive or classified information routinely have security identified in their job description and included as part of their performance evaluations. A first-time violation might result in counseling, training and a letter in their file. A second violation within a certain timeframe might result in a formal letter and loss of eligibility for a bonus or promotion. Repeated violations or a serious incident with willful negligence or intent might result in termination. Taking these steps makes everyone in the organization personally aware of their individual and collective responsibility to protect valuable information.
To go one step further, often government contractors (business associates in healthcare) are held responsible for the actions of their employees through award fees. Security violations during a specified period can result in reduced award fees for that contractor. Organizations and agencies need to remind their vendor partners that they need to pay attention to workforce training and that their employees' actions have consequences.
The point is that even good workers sometimes make mistakes or have lapses of judgment - some that will no doubt even leave you scratching your head. That does not necessarily mean they are not good employees or capable of doing better.
A security incident or even a lapse of judgment, depending on circumstance, should not be grounds for automatic dismissal. Sometimes the person who makes the mistake and suffers the consequences, but is not terminated, is far more effective at shaping others' behavior than the one who disappears and is soon forgotten.
Tying privacy and security to individual performance plans and then enforcing it fairly can have a profound effect on behavior, and therefore, culture. It has consequences, it's visible and persistent, and if applied consistently, will be perceived as fair. More important, it will contribute to awareness and learning and assist in reducing the number of future incidents.
Mac McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based firm specializing in information security and regulatory compliance.