July 31st, 2007
Policy Hell
One thing that I learned in five years of working for an FDA regulated company: policies are usually written to address fears instead of to solve problems or provide a return on investment. Often when one challenges the usefulness of a troublesome policy the answer is that Something Bad might happen if we did not have the policy. Never mind that the odds are miniscule of Something Bad happening. Never mind that the cost of Something Bad is less than the cost of maintaining the policy and training the employees on it. Never mind that the existence of the policy does not even prevent Something Bad; your company just hopes it makes Something Bad less likely. Fear has taken over, and we must avoid Something Bad at all costs.
I do not mean to belittle all those policies out there, but I would be very surprised if more than 10% of policies in medium-to-large companies provide a net positive return on investment.
Return on Investment
The core of the problem is properly identifying the return on investment by quantifying both positive and negative influences of each policy and official procedure. Most security organizations and managers do not do this well. Instead of considering the benefits of a policy and contrasting them to the costs, they ignore the costs and narrow their focus on an illusionary idea, often false, of the benefit.
Why does this happen? Why is it that people are unable to adequately assess the value of the policy? It is that most people cannot quantify costs. Time equals money, but many people do not know how to perform calculations across that equation. Time is the largest cost ignored by policy makers.
Identifying Costs
Some costs of policies and procedures are:
Additional capital and expense costs accrued directly against the budget: a change control procedure might require tracking tools that are bought and paid for directly against the budget. These are generally noticed and the only costs reported in a typical situation.
Additional time to follow procedure: if a policy requires that all documentation be in the same format, such as particular settings for font, margins, headers, footers, and standard sections (pseudo-justification of which is that everything looks neat and organized for auditors), then everyone that needs to create or modify a policy must be trained on those rules. Additionally, if templates are not provided then everyone must spend time manually formatting the documents to fit the standard. If one is lucky enough to have templates available, then one must not ignore the costs of creating and maintaining those.
Delays imposed: sometimes one must wait until certain times for updates due to over-reaching policies. If one has many sequential tasks to perform, he could be significantly delayed—even by weeks—by trivial work.
Necessary changes never implemented: I regularly see situations where necessary work to prevent future losses is ignored because the policies make it too much of a hassle to get it done. Management is simply not informed of the undone deed except perhaps in passing. No one follows up—to do so would add yet more burdensome tasks to an already overworked employee (overworked because their management thinks the process overhead on their activities is a fraction of what it actually is).
Minimize Policies
All I can suggest for now is to be very vigilant of all your policies. Can you trim them back? Can any be merged together? Do they cover too much? Do they present too much of a burden? Can you lighten known burdens with minimal trimming of the policy’s benefit? If you want to empower your IT staff, be their hero—not their agitator.
