Information Assurance (IA) has become dominant force within the IT community. It is not enough for hardware and software simply to perform at a high level, rather it must also do so in a way that meets information assurance or security standards. These standards come from organizational policy, industry regulations, and federal laws. Many times these IA requirements are seemingly at odds with convenience and usability. At the least, enforcement of these policies and laws are met with exasperation from end users. Many times they are flat-out ignored. Compounding matters, management is frequently complicit in this behavior, paying lip service to established policies and procedures but doing little to educate and enforce.
Individuals directly responsible for information assurance in an organization often attribute the breakdown in compliance to end user behavior. Much has been written regarding how best to deal with this issue. IA personnel would like to see more support from all levels of management coupled with better accountability to combat infractions. Management is often reluctant to enforce IA policy with much vigor. I count myself among those who believe this attitude towards IA does inhibit its effectiveness, and is something that needs to be addressed and remediated to ensure a successful program. Much industry literature on information security echoes this; many texts consistently point out the importance of top-down support as a key to this success. In fact, I believe that most, if not all, IA personnel share this sentiment.
While we must continue to push forward in this area with the hopes of raising the profile of information assurance's rightful importance in our respective organizations, it is my belief that this alone is not enough. In order to have a successful program, those with IA responsibilities must work diligently to craft a program that is complimentary to the user's day-to-day duties rather than one that is viewed as adversarial towards those efforts. Certainly this will not always be possible, however, in many instances a program is developed and implemented with little thought given to its impact on end users throughout an organization. Information assurance personnel who take a vested interest in developing a strong IA program without disrupting end user productivity will meet with far less resistance and are more likely to achieve success.
Deploying a program that appears seamless to your users is not a realistic goal, and in many instances they should be aware of measures in place to protect both the organization and themselves. Though information assurance need not be transparent to users, it should not be seen as a hindrance. Developing this balance can take creativity, patience, and expertise that is gained not only through experience but also by soliciting feedback from a cross section of employees at all levels and serving in a variety of different positions. By seeking this input the IA professional is posturing their organization and program for sustained success. I suspect that this strategy will be embraced by forward thinking information assurance leaders and will garner industry success and the respect of management and users alike. Those that adopt this strategy now will be regarded as leading the wave in what is likely to be counted as best practice in future information assurance doctrine.