In the "More Unsurprising News" category we have today's article from Help Net Security detailing a recently released study which found that 35% of employees have violated their corporate IT policies.

As one wag on Slashdot put it, "One-Third of Employees Admit to Violating Company IT Policies." In fact, although the methodology isn't detailed, one has to wonder how the surveyors even managed to find 1/3 of employees who knew what the policy was in the first place in order to know they had been violating it.

Most of the rest of the conversation at Slashdot revolves around the improbability of that number being anything other than extraordinarily low and the likelihood that most employees never even know what policies they might be violating. The survey further adds that fully 65% of employees have little concern that such violations might fuel significant security breaches in their corporate networks... supposing, I presume, that they see little connection between that and their own paychecks, and also assuming quite correctly that the whole thing is ITs problem to deal with.

Which brings us to the real question for CIOs, which is, why bother to have such policices if they are so broadly ignored? Is it just a CYA mentality, or the inevitable crush of paperwork and bureaucratic sludge that accumulates in any organization over time? Too many lawyers? What's the deal?

My own philosophy is that if you don't have an enforcement mechanism (a working one) then you may as well not have a policy. Otherwise you're just making a joke of yourself, pushing your policies into the same territory that jaywalking laws and speed limits occupy. And if something is important enough to your network security to have a policy for, then it's important enough to put a real system in place to enforce... not to simply leave it up to people who won't be the ones to pay the Piper when something does happen.