The quarterly publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/624538
PEER TO PEER: THE QUARTERLY MAGA ZINE OF ILTA 8 BEST PRACTICES comprehensive policy intact while creating a library of topic-specific mini policies. You need not do this with every section of your comprehensive policy — just the greatest hits. but they are just the beginning. Employees are our first lines of defense in information security, and they must be educated and given the resources needed to change their behaviors if we want those defenses to be strong. WHERE TO START Approach communications from the employees' perspectives and with their needs in mind. What would spur them to think about the firm's policy? The most common trigger is a request to perform a certain task. Most employees will not spend time thinking about what secure file- transfer tool the firm uses; they just want to know, "Is it okay to put this in Dropbox?" Take that same practical, real-world perspective in communicating policy. STRATEGY ONE: OUT OF ONE, MANY For a large, comprehensive policy such as "acceptable use," which often covers numerous issues, consider breaking it into smaller chunks. When employees are looking for guidance on whether they can send work product to their Gmail accounts, are they likely to wade through the large document? You can keep the Law firms typically have voluminous policy documents, often reviewed and rewritten by committees of lawyers. They are very thorough, very dense and very long. A once-lean draft can become a near-unrecognizable behemoth that includes policy considerations for every type of information and media in use. These policies are often written from a compliance perspective. When an auditor or client asks what your organization does about mobile devices or how you handle secure file-transfer requests, you can happily point to a multipage table of contents and say "It is covered in our policy!" But what about the employees in your organization? How do you communicate these comprehensive policies to them in a way that pertains to their daily work? Can you give them usable versions of these lengthy documents so they are not discouraged by the policies' sheer volume? How do you use your policies to help answer the simple, critical question employees ask: "Is it okay for me to do this?" At the 2015 LegalSEC Summit and at ILTACON 2015, expert after expert expressed that policies are an important part of any information security program, As Chip and Dan Heath said in their book, "Made to Stick," "Tell someone 10 things, and you tell them nothing." This sums up the challenges we often face when communicating to employees the myriad issues and policies surrounding information security. About the Author Julia Montgomery, Senior Change Management Consultant at Traveling Coaches, Inc., advises clients on all aspects of change management related to technology projects. She specializes in developing strategic communications. A true user advocate, Julia believes the key to increasing user adoption is to focus on the needs met by a technology solution rather than on the technology itself. Before joining Traveling Coaches, Julia spent more than 15 years as part of in-house legal technology teams. She is a member of ILTA's LegalSEC Council. Contact Julia at jmontgomery@travelingcoaches.com. Information Security Communications That Connect Most employees will not spend time thinking about what secure file- transfer tool the firm uses; they just want to know, "Is it okay to put this in Dropbox?"