Legal

Poll: Do your senior executives think they're 'above' adhering to IT policies?

A European report reveals that many corporate executives ignore IT security policies and procedures. Do yours?

A survey of 300 IT Security professionals has revealed that the board of directors are most likely to ignore or flout security policies and procedures, with 42% cited as frequently ignoring them. That's according to a survey released today by Cryptzone, Europe's IT Threat Mitigation specialists. Over half of respondents were convinced that senior management believes that "the rules don't apply to them" when it comes to respecting IT security policies and procedures.

Ironic, since senior people often have access to the most sensitive information.

"This is a tough problem. Seeing wanton disregard at a senior level for the policies and procedures put in place to protect an organization is infuriating, and a real challenge for the CISO who must balance the needs of a business with the requirement to protect assets," said Nigel Stanley, Practice Leader for Security at Bloor Research.

He added, "I consider the starting point for all security measures to be a governance statement signed by the board, at least with this you have some comeback if senior managers and directors aren't playing ball." (You can download the Perceptions of Security Awareness Study here.)

I would venture to guess it's the same in other parts of the world too. Take our poll and let us know what it's like in your organization.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

10 comments
short timer
short timer

I had one company director trying really hard to get me to let him around our security measures - I finally said 'Is this a test?' which made him stop and think and finally give up. Then there's the big guy who had the corporate security team hack into peoples' gmail accounts, there was a lawsuit about that case last year because the security guy quit after he refused to hack into the big guy's ex-wife's email and later sued for wrongful dismissal or something as a result. Come on guys - boundaries!

RNR1995
RNR1995

This is why they are targets

ananthap
ananthap

Most companies have a governance statement of some kind - probably signed by the board. However, Many top executives aren't made aware of the specifics as applies to them and devices and data that they use. The IT persons are too afraid to tell the brass. In these companies.

ppointer
ppointer

Many executives have business interests outside those of their employed organization. I don't think it is unreasonable for them to have access to email accounts and other network connectivity outside of the organization. Most of the time those interests have already been disclosed (examples included participation in other company's boards, other business ownerships). So, if WebSense is configured to prevent access to web mail outside of the intranet, then allow the executive to punch through using POP3/SSL etc. The most basic of policies, such as copying credit card numbers in the clear or emailing personal healthcare data, are so obvious that adherence is not a burden. But we as IT have to embrace BYOD, and we have to be facilitators of communication -- the two areas where I see over-zealous policy bigots get in the way of executives.

urkiddinme
urkiddinme

The top dawg of the IT department does not believe the IT department needs to follow the policies and procedures that were recommended from a couple of audits. I have seen employees of IT departments access customers' accounts by logging in using the customer's username and password. Scary? Yes, indeedy. I try to imagine how I would feel if my sensitive data was hacked into. They can't seem to imagine that and happening--ever. However, I feel that there are ITers who think our walls can't be broken into. They don't believe in placing a privacy policy/terms of use on the websites, among other things. It's absolutely ridiculous.

dl_wraith
dl_wraith

Directors and senior management seem to get into a mindset where they believe in a them and us style mentality where 'them' represents the other staff who are dangerous and need to be led and given directives, objectives and constant instructions else they would go off the rails and fail to do anything (right) where 'us' represents the senior management team of trustworthy, upstanding, intelligent folk who know better than the common crowd. Ironically, these same leaders and managers frequently construct policies and champion the abolition of the 'them and us' mentality elsewhere in their business (usually between middle management or team leaders and their direct reports), never realising that they engage in the selfsame tribalism that leads to such situations. Those leaders in the 'I know better' frame of mind will buck IT policies and will often see IT staff as a barrier [to usability] rather than as an [security] enabler. They often choose to counter any arguments that their access to sensitive data poses a security threat if they do not adhere to the same policies as everyone else by saying, "I am a trusted and respected manager. I am trustworthy and this is why I earned my position" (or something along these lines). Some senior leaders need to wake up before their hubris damages their businesses. As a small example, what's more likely to damage a business? A member of staff leaving to join a competitor and taking knowledge of usable contacts, good practices and the odd customer with them or a senior manager leaving to join a competitor, taking with them full details of business practises, strategies, policies and procedures, contacts, customers, risks, business strengths and weaknesses? Oh, wait - most senior managers are too trustworthy and upstanding to actually use any of that sort of info at a new company, right?

lehnerus2000
lehnerus2000

A lot of them think they are above "The Law". An understandable conclusion, given how few get sent to prison. Why would they follow directives from a lowly IT Administrator?

dl_wraith
dl_wraith

Loved your answer to the company director. I'll have to remember that one. The one I used that got the most thought from a directors was: "Directors have access to more sensitive data that anyone else in our business. If anything, I need to ensure that you follow the security procedures even more than our other staff." The response to that one was a complaint to the Head of IT which is where my earlier comment of "I am trustworthy and this is why I earned my position" came from. Needless to say I was told to just relax the security for this case. Let's just say I wasn't pleased. Perhaps if I'd have had "Is this a test?" in my arsenal, the outcome may have been different.

dl_wraith
dl_wraith

.....interchangable as far as this article is concerned. Everything I level at 'senior management' can also be leveled at 'well meaning (but short-sighted) IT techs' Senior managers, privileged users and IT techs alike need to adhere to consistent and realistic policies that supply security for both them and their businesses.

The_Real_BSAFH
The_Real_BSAFH

This condition goes all the way to the US Congress.

Editor's Picks