The Pyramid of Compliance.

Most business initiatives need employee “buy in” to work and compliance is no exception. Automated systems can impose a degree of uniformity in enforcing initiatives, but where the rubber meets the road will always be where your workforce interacts with your systems. An employee that embraces your policies and procedures can be your best protection from threats like email borne malware, as well as assurance that your organization is complying with industry and regulatory mandates.

How do you focus your people on compliance? Here are five suggestions from Ernie Hardin, founder and owner of 443 Consulting, an information security and business continuity consultancy in North Bend, Wash.

1. Get’em at the Door

Probably the easiest worker to obtain buy-in from is the new hire. He or she is a clean slate without some of the baggage of existing workers. New hires are also eager to please their new employer so they’re more willing to accept your compliance rules.

What should be included in a new hire’s introduction to compliance? A message from your company’s CEO emphasizing the employee’s role in the security of the firm can be very valuable in attaching importance to compliance. Of course the nuts and bolts of external rules and regulations that your business has to comply with–HIPAA for medical facilities, for example, or Sarbanes-Oxley for publicly traded companies–need to be explained, as well as your firm’s appropriate use policy relating to email and Internet usage.

2. Get ‘em Where They Eat

“Brown Bag” training sessions can be a useful approach to getting current employees onboard with your compliance program. The key to making these successful, though, is to bait them with something that appeals to the worker’s self interest. Free lunches are hard to resist, but tailoring your message is important, too. For example, Hardin point out that a session could be structured around computer security at home–a topic  of some importance to most of your workers. Since good security practices at home would overlap good security practices at the office, the session would be killing two birds with one stone.

“Fortunately, this training also reinforces good security habits, which, in turn, employees tend to bring back to the work environment,” Hardin writes.

3. Get ‘em in the Corner Offices

In addition to the rank and file in your organization, you’ll want your top brass in on the compliance party, too. Sure, your CEO is aware of the importance of compliance–he says so in the materials for new hires, didn’t he?–but other execs need to stay current on developments, too. A good way to do that, according to Hardin, is to take advantage of news events relative to the subject. When a data breach or email born virus makes headlines, you can offer to brief executives about the event. The briefing doesn’t have to be a face to face session. It can be a short memo about the event, why it could or couldn’t occur  at the company, what safeguards and policies are in place to prevent a similar mishap and what additional measures could be taken to bolster what’s  already in place.

4. Get ‘em prepared

No one likes fire drills until there’s a fire. The same is true of security training exercises. Hardin recommends that the exercises be interactive and involve problem solving. They should also have a brainstorming component.

“The idea behind these exercises is to get everyone’s ideas on how to make current processes better and more useful should real events like this occur,” Hardin noted.

5. Get ‘em focused

When spreading the compliance gospel, you don’t need to confine the burden to the apostles in your security team. Creating focused work groups made up of managers and employees to discuss compliance issues can facilitate understanding and extend the reach of your team in the workplace. Knowledgeable managers and employees can aid in the enforcement of compliance policies and lighten the workload on your security resources.

“The underlying theme of these approaches is to educate and train at any opportunity,” Hardin explained. “Recognize that the employees are critical to the successful defense of your company.”

“Also,” he continued, “recognize that they can be part of your security implementation program as well as part of your enforcement team, and you’re well on your way to a more-compliant organization and a less-stressed security team.”