Let’s face it: policies are the vegetables of the corporate world. No one’s excited about them, but everyone knows they’re good for you. Writing a good policy is like trying to get a child to eat broccoli—you’ve got to make it digestible, or no one’s going to touch it. A policy is, at its core, a set of rules. It doesn’t stop bad things from happening, but without it, you’re essentially telling employees, “Go nuts! Do whatever you want!” Spoiler alert: that doesn’t end well. Think of a policy as the fence around your swimming pool—it won’t stop anyone from drowning, but at least it’s a start.
A policy is the company’s rulebook, dictating how you want things done. Take an Information Security Policy, for example. It’s not just a fancy document to fill a binder—it’s the playbook for protecting sensitive data. It tells employees exactly how to handle the company’s information. And no, it’s not optional. Without a policy, people tend to make their own rules, which is how Dave in accounting ends up emailing customer lists to “coolguys420@gmail.com.”
Also, if you think having a cybersecurity policy is optional for your company, try explaining that to your cyber insurance provider. They want to see those rules in place. Insurance companies are essentially asking, “Do you have boundaries?” Without a solid information security policy, you’re basically telling them, “Nope, we’re just winging it over here!” Good luck with that premium, buddy. We have seen so many organisations of late who cannot get cyber insurance, or the premiums are beyond affordable due to not having what is required in the business.
Here’s the problem with most policies: they’re written like they were meant to confuse. Fancy jargon? Check. Legalese? Check. Absolutely impossible to understand? Double-check. Pro tip: humans read English, not legal mumbo jumbo. Instead of “Employees are required to exhibit utmost caution in data handling procedures,” try something like “Don’t send sensitive info to sketchy emails.” You’re writing for humans, so make it human-friendly. This is a satirical example but you do get the point.
Let’s be clear - policies aren’t magic shields. Just because you write a policy doesn’t mean disaster will stop knocking at your door. However, policies are a governance control. Without them, it’s basically a free-for-all. A policy is the first line of defence. It’s like having traffic laws—just because they exist doesn’t mean people won’t speed, but at least they know when they’re breaking the rules. You want to stop Dave from downloading pirated software on company computers? Put it in the policy. Without rules, Dave’s thinking, “Hey, free movies!”
If there’s one thing worse than not having a policy, it’s having one no one can understand. That’s why plain English is your best friend. Forget impressing the lawyers—this is about making sure your employees get it. Write it so anyone can read it and know what they’re supposed to do. If your policy sounds like it was written by a robot, guess what? No one’s following it.
A policy isn’t a set-it-and-forget-it situation. Things change, businesses evolve, and let’s face it—so do the ways Dave can mess things up. Your policies need regular updates. Just like a software patch, you need to tweak them to keep up with the times. When remote work became the norm, did your Data Security Policy adjust? It should have. Did you even have one and how did you enforce rules without it document. It should have.
At the end of the day, a good policy is about clear rules, plain language, and setting boundaries. It won’t stop Dave from being Dave, but it’ll at least give him (and everyone else) a fighting chance. Because no one wants to end up in the headlines for the wrong reasons—especially if it’s because no one read the policy. Keep it simple, keep it clear, and for the love of everything—make sure people can actually read and follow them. Plus, your insurance provider will thank you.