Nobody reads policies

Rens van Dongen
6 min readNov 29, 2021


What have you agreed to over the years?

Butters declines the iTunes user agreement — South Park

South Park jokes aside, the Apple Media Services (App Store, Apple Music etc.) license agreement actually expressly forbids you from using it to create nuclear missiles. And when accepting, you also agree to every changed future version.

When you started your job, did you have to read, formally acknowledge or even sign various long employment policies such as for expenses, mobile device use or workplace safety? What rules do you actually recall? Do you follow them?

Throwing policies at the problem

Organizations traditionally pass around their policies just to comply with laws, certification standards and insurance requirements. It’s a check in the box. But if we truly want to ensure that staff follow our rules, handing out piles of formal documents on their first workday isn’t effective at all. And if people don’t know the rules, they won’t be able to follow them.

Checkbox compliance

So why do we rely on this method? Simply because it works for compliance. Customers, partners or sometimes even auditors consider the mere existence of a policy sufficient assurance in response to a given risk, even when that policy file was tucked away in a messy Sharepoint intranet site. For security though, we need something better.

Bad passwords cause ransomware

As an example, let’s consider the biggest threat in cybersecurity.

“Most ransomware attacks are conducted through network connections, and often start with credential compromise” — NIST

Credential compromise basically means that passwords were leaked elsewhere and tested by hackers for one’s business account, or even “sprayed” across a whole corporate domain looking for any match, thus enabling them to enter confidential systems.

But don’t we tell our staff to choose unique, strong passwords? We do, in long-winded IT, password or access policies. Sure, systems like Active Directory (AD) can technically enforce password strength properties like complexity and expiration, but we all know what they cause in reality

Unintended outcomes

Working from intent to implementation

Technically, the typically bad password policy is actually a bad standard. A policy should only state intent, taking apart the objective (protecting user accounts against malicious intrusions through strong passwords) from the business rules we chose to achieve that goal (certain complexity requirements or expiration cycles). When it becomes clear we missed our goal by asking too much from our colleagues, we can evaluate our implementation, recognize the mistake in our standard and revise our outdated methods with updated best-practices. Even industry expert Schneier is fed up with the widespread arbitrary rules.

Let’s conclude the password situation example. Forget about offering password policies (or any other policy, for that matter…) to employees. A much more effective method is to provide a practical process. Introduce a 3-step password creation one-pager with the employee onboarding process: #ThreeRandomWords, use password manager and don’t recycle.

Again, what we often call our “policies” are, in reality, documents that are short on objectives and mostly describe standards, and even processes, instead. The messy end-result, then, is uninviting and impractical and therefore blocks easy reviews, healthy discussion and needed change.

If nobody reads them, why need policies at all?

As Sinek said, always “start with why”. Policies are about why we want things, not the what (standards) or the how (procedures). Per ComplianceForge, well-designed documentation is comprised of five core layers:

Just as with a real pyramid, you start at the bottom. And while every layer has value, they each have different purposes and audiences. A policy is like a law book, a standard resembles a building’s blueprint and a procedure reads like an everyday cooking recipe.

When was the last time you read a law book? Unless you’re a lawyer, legal counsel or subject-matter expert like a CISO looking into GDPR particularities — probably never. But we all have a reasonable understanding of what our national laws are, don’t we? No killing, use traffic lights, signing contracts has consequences. But wait, if we haven’t learned this from the actual law texts, then how did we acquire that knowledge?

Government and society have something to teach

With COVID-19, regulations were changing often. And still, everyone knew what was going on. An amazing feat, if you think about it. What happened?

Government organized press conferences
Public signs repeating instructions
News media covered each change and simplified the messaging
Organizations like municipalities and businesses dissected relevant rules and communicated them in practical ways, for example with lines and arrows in streets and public buildings
Even children contributed with their communication campaigns
Society repeated core messages and interpretations from it through culture, education, coffee corners etc.

Now, consider for a moment an alternate reality in which the government had solely relied on sending each citizen the COVID-19 policy texts, and again with each revision, asking all of us to sign for acknowledgement… This is exactly what organizations often do with their employees.

After the policy comes the work

Slim down your policies, so the objectives become crystal clear and will more easily guide effective implementation through separate standards, processes and controls. Don’t expect more than a handful directly involved staff to read them, and that’s okay. Apply the governance pyramid instead.

Governance pyramid

Many organizations believe that with their data protection policy, website update and processing registries, their GDPR implementation is achieved. However, that’s only the start of the needed effort. For example, GDPR requires audited systems or accountable employees to reliably and repeatedly delete retired personal data like candidate resumes or old personnel files. If such processes aren’t effectively in place, having your privacy notice and cookie confirmation will in no way truly respect the privacy of your data subjects.

London street signs protecting visitors

When certain behavior is expected from people, always try and look for the place and time in which the correction is most needed. Just like an airline mails you the luggage limitation instructions right before check-in, why wouldn’t a company include their reimbursement rules on their declaration form? If you need to communicate workplace harassment guidelines, wouldn’t it make more sense to include a reminder in the team outing party invitation, rather than arbitrarily mail them once a year? And if the UK successfully protects foreign visitors with “look right”-reminders on London street corners, couldn’t we experiment with “lock your laptop”-stickers on office desks?

Talk at Cyber Security Expo at RAI, Amsterdam, November 24th, 2021