Jul 24, 2024

5 Ways to Align IT and Security Policies with Corporate Culture | Expert Series

5 Ways to Align IT and Security Policies with Corporate Culture | Expert Series

Table of contents

Content

Content

Content

IT Administrators often have to walk a fine line. On the one hand, they must write policies that govern how employees work and use technology. For better or worse, these policies have a tremendous day-to-day impact on productivity and satisfaction levels. On the other hand, IT practitioners must also be mindful of their relationship with co-workers—especially in small startups, where these interactions carry even greater significance.

Push too far in one direction, and IT risks alienating the very people responsible for growing the company. But give users too much latitude, and they could invite unsustainable security, compliance, and operational risks. AccessOwl sat down with several expert IT practitioners to hear their tips for managing employee friction:

1) Be honest

Jakub Łączak-Król, IT Asset Manager at XTB, believes it’s always best to be transparent with co-workers, even when delivering an answer they won’t like.

“To me, the answer should make sense to them. I don’t believe in just saying ‘no’ and that's it. I always try to explain the IT policy related to their request, and that if I make an exception for one person, I’ll have to make an exception for everyone,” he says. “I do certain things for certain reasons, and I believe that employees should be aware of those reasons.”

Łączak-Król adds that while honesty and context is always the best policy, IT admins shouldn’t overwhelm employees with information.

“I never try to share too much without being asked first by employees, because they have so much going on in their daily work, why would they need to hear about every single IT policy?” he says. “My approach is: ‘This is the reason, and I hope this makes sense to you. If not, please ask more questions. I also want to be clear and honest with you’.”

2) Share a comprehensive rulebook

Derek McGee, IT Manager at Airtower Networks, takes a slightly different approach, likely informed by his company’s highly regulated industry. He shares a comprehensive digital security and IT policy list with new employees during onboarding. This includes rules—vetted by legal and HR—on BYOD and mobile use, internet use, password management, and more. It features a dynamic list of legal guidelines and corporate usage policies that are mostly common sense but still need to be communicated clearly.

“This is shared during onboarding, and then if there are any changes, we go over these during our quarterly security training seminars,” he says.

3) Manage IT with a personal touch

Grant Bordelon, IT Operations Specialist & System Network Administrator at Rep Data, believes nurturing personal relationships is the key to building trust with fellow employees—especially in smaller organizations. This trust is crucial for minimizing shadow IT inside the company.

“I'll tell you exactly what happens in a small company. They go, ‘wow, this computer is so locked down, it won't let me get to anything.’ And if they're working remotely, they just get on their personal computer and do everything they were going to do anyway on that work machine,” he says.

“If you want to make sure everyone's doing everything by the book, put them in a cell under camera surveillance, and watch them. But if you can’t, you have to make that call, because at some point, it's either physically lock them down like prisoners or have some faith and trust in your employees.”

4) Don’t be afraid to be disliked

IT can’t always be the favorite department, says Iliya Tsvibel, IAM Security Engineer at Qwilt. He recalls a situation where he had to temporarily remove HR permissions from the corporate HRIS solution HiBob and transfer them to himself. Although this was a temporary measure to rearchitect access rights and reduce security risk, it technically gave him access to protected employee salary information.

“Sometimes you have to be the bad guys,” he says. “This was one of the biggest problems in the political war between IT and HR.”

5) Sometimes you need to start from scratch

There are occasions, particularly in the early stages of a startup, where an incoming IT Administrator’s role is more about establishing norms, says Erik Ours, IT Manager at Wieden+Kennedy Tokyo. At his previous employer, Drivemode, one of his main priorities was to address the IT culture and how IT was perceived within the organization.

“A lot of tech companies see IT support almost like you’re the janitor­—that's how you're treated and viewed. I wanted to get away from that stigma and establish it properly,” he says. “So within my first month, the first thing I established was an SLA between IT and the CEO. And then step two was a security awareness program.”

Every organization is different

When it comes to aligning IT policy and approach with corporate culture, there’s no one-size-fits-all set of rules. Much depends on the culture of the organization, which is influenced by its history, leadership, and regulatory environment.

What is clear is that for IT Administrators to succeed, they increasingly need to bring empathy and communication skills to the table—qualities the role has not always been known for. Technology changes, of course. But so must we.