I have often had the opportunity to evaluate different approaches to cyber protection, in different areas. Many times the approach was too superficial, the security policies insufficient when not completely absent, and this exposed the company to a very strong risk of compromise.
In my opinion, however, almost as bad for global security is the implementation of "too" stringent policies.
I know this seems to be a contradiction, perhaps provocative, but please follow me in the reasoning ...
It is an established fact that the weak link in information systems is almost always "Dave: human error" (I don't want the many friends named Dave!)
If we implement policies that are too stringent and too little user friendly, not very "ergonomic", as suggested by the very good @roarinpenguin, inevitably users, squeezed between the anvil of security and the hammer of productivity, will look for tricks to formally comply with the policies, and at the same time continue to work smoothly.
Let me give a concrete example: for a long time he was stressed about the need to have very complex passwords, which included numbers and special characters in different combinations.
This has led many, too many users to write down the password somewhere in order not to forget it, thus completely defeating the primary objective of the .
Then the obligation to change the password frequently. Users “changed” it, resetting the previous one. Then reuse was blocked. Result? P @ ssword1, P @ ssword2, P @ ssword3…
This is just an example to say that, to achieve effective security, the active cooperation of users and operators is required cybersec.
This result is achieved above all with training, promoting within the structure the awareness of the risks that are run (#ilbersagliosiamonoi), and of the behaviors to be adopted to minimize them. But beyond that, who is responsible for the security policy he must try in every way the ergonomics of the solutions, so as to make compliance with the rules set, I do not say pleasant (let's not exaggerate!) but at least not very invasive.
Also, explaining why certain restrictions are introduced, sharing as much as possible the risk analyzes that led to their implementation, helps immensely in gaining user adoption.
Finally, it is good to always remember that "Those who renounce freedom for security do not deserve either one or the other" (Benjamin Franklin).