On the surface, the business department supports it, but in fact it does not cooperate. This is the most common experience and complaint of implementers in the process of implementing information security management system in many enterprises. The support of business departments is an eternal problem. There are many reasons for this problem, such as "I'm very busy at work", "I just came back from a business trip and have no time to read those safety tips", "Don't trust me, I won't leak", "We are already very busy at work, please don't give us any more work" and so on. Really no time? Obviously not. The real reason is that "business is the most important thing, everything else is secondary" and "I haven't been so unlucky in recent years". I feel lucky because I don't know enough about the seriousness of potential safety hazards. Not only ordinary employees, but also some managers and even core managers have this idea to varying degrees.
First of all, the person in charge of information security should also consider the overall arrangement of time in the specific implementation process. After all, enterprises aim at profit, and business is very important. In the specific work arrangement, it is necessary to save the time of business personnel as much as possible, such as improving safety awareness, not just a way of classroom training. Internal websites, regular reminder emails, brochures, reminders next to printers and photocopiers, and safety stories on desk calendars are all good choices. The information security propaganda method should be flexible. If you know the business department, the business department will also welcome and understand your work.
Secondly, the benefits of implementing specific control measures should be fully explained to the business department. Many safety control measures implemented in business departments, if well implemented, are beneficial to business departments and help reduce the risks of business departments and related personnel. Business departments don't cooperate largely because they didn't see this layer themselves, and our implementers didn't make it clear to business personnel. In most cases, business personnel will actively cooperate and accept the temporary impact of the implementation of control measures on work efficiency after understanding this layer.
Thirdly, as far as the implementation of specific security products (such as terminal control software and CA certificate) is concerned, in the initial stage of implementation, the work efficiency will be affected to some extent because the personnel in the business department are unfamiliar with the operation, but once the personnel are skilled in the operation, this problem will not exist, and due to the improvement of security control, the security risk of the business department will be reduced, the time spent by the personnel in the business department on terminal or system failures will be reduced, and the work efficiency of the business department will be improved.