A lot of them think they are above "The Law".
An understandable conclusion, given how few get sent to prison.
Why would they follow directives from a lowly IT Administrator?
Discussion on:
View:
Show:
Directors and senior management seem to get into a mindset where they believe in a them and us style mentality where 'them' represents the other staff who are dangerous and need to be led and given directives, objectives and constant instructions else they would go off the rails and fail to do anything (right) where 'us' represents the senior management team of trustworthy, upstanding, intelligent folk who know better than the common crowd.
Ironically, these same leaders and managers frequently construct policies and champion the abolition of the 'them and us' mentality elsewhere in their business (usually between middle management or team leaders and their direct reports), never realising that they engage in the selfsame tribalism that leads to such situations.
Those leaders in the 'I know better' frame of mind will buck IT policies and will often see IT staff as a barrier [to usability] rather than as an [security] enabler. They often choose to counter any arguments that their access to sensitive data poses a security threat if they do not adhere to the same policies as everyone else by saying, "I am a trusted and respected manager. I am trustworthy and this is why I earned my position" (or something along these lines).
Some senior leaders need to wake up before their hubris damages their businesses. As a small example, what's more likely to damage a business? A member of staff leaving to join a competitor and taking knowledge of usable contacts, good practices and the odd customer with them or a senior manager leaving to join a competitor, taking with them full details of business practises, strategies, policies and procedures, contacts, customers, risks, business strengths and weaknesses?
Oh, wait - most senior managers are too trustworthy and upstanding to actually use any of that sort of info at a new company, right?
Ironically, these same leaders and managers frequently construct policies and champion the abolition of the 'them and us' mentality elsewhere in their business (usually between middle management or team leaders and their direct reports), never realising that they engage in the selfsame tribalism that leads to such situations.
Those leaders in the 'I know better' frame of mind will buck IT policies and will often see IT staff as a barrier [to usability] rather than as an [security] enabler. They often choose to counter any arguments that their access to sensitive data poses a security threat if they do not adhere to the same policies as everyone else by saying, "I am a trusted and respected manager. I am trustworthy and this is why I earned my position" (or something along these lines).
Some senior leaders need to wake up before their hubris damages their businesses. As a small example, what's more likely to damage a business? A member of staff leaving to join a competitor and taking knowledge of usable contacts, good practices and the odd customer with them or a senior manager leaving to join a competitor, taking with them full details of business practises, strategies, policies and procedures, contacts, customers, risks, business strengths and weaknesses?
Oh, wait - most senior managers are too trustworthy and upstanding to actually use any of that sort of info at a new company, right?
The top dawg of the IT department does not believe the IT department needs to follow the policies and procedures that were recommended from a couple of audits. I have seen employees of IT departments access customers' accounts by logging in using the customer's username and password. Scary? Yes, indeedy. I try to imagine how I would feel if my sensitive data was hacked into. They can't seem to imagine that and happening--ever. However, I feel that there are ITers who think our walls can't be broken into. They don't believe in placing a privacy policy/terms of use on the websites, among other things. It's absolutely ridiculous.
.....interchangable as far as this article is concerned. Everything I level at 'senior management' can also be leveled at 'well meaning (but short-sighted) IT techs'
Senior managers, privileged users and IT techs alike need to adhere to consistent and realistic policies that supply security for both them and their businesses.
Senior managers, privileged users and IT techs alike need to adhere to consistent and realistic policies that supply security for both them and their businesses.
Many executives have business interests outside those of their employed organization. I don't think it is unreasonable for them to have access to email accounts and other network connectivity outside of the organization. Most of the time those interests have already been disclosed (examples included participation in other company's boards, other business ownerships). So, if WebSense is configured to prevent access to web mail outside of the intranet, then allow the executive to punch through using POP3/SSL etc. The most basic of policies, such as copying credit card numbers in the clear or emailing personal healthcare data, are so obvious that adherence is not a burden. But we as IT have to embrace BYOD, and we have to be facilitators of communication -- the two areas where I see over-zealous policy bigots get in the way of executives.
Most companies have a governance statement of some kind - probably signed by the board.
However,
Many top executives aren't made aware of the specifics as applies to them and devices and data that they use. The IT persons are too afraid to tell the brass. In these companies.
However,
Many top executives aren't made aware of the specifics as applies to them and devices and data that they use. The IT persons are too afraid to tell the brass. In these companies.
I had one company director trying really hard to get me to let him around our security measures - I finally said 'Is this a test?' which made him stop and think and finally give up.
Then there's the big guy who had the corporate security team hack into peoples' gmail accounts, there was a lawsuit about that case last year because the security guy quit after he refused to hack into the big guy's ex-wife's email and later sued for wrongful dismissal or something as a result. Come on guys - boundaries!
Then there's the big guy who had the corporate security team hack into peoples' gmail accounts, there was a lawsuit about that case last year because the security guy quit after he refused to hack into the big guy's ex-wife's email and later sued for wrongful dismissal or something as a result. Come on guys - boundaries!
Loved your answer to the company director. I'll have to remember that one.
The one I used that got the most thought from a directors was: "Directors have access to more sensitive data that anyone else in our business. If anything, I need to ensure that you follow the security procedures even more than our other staff."
The response to that one was a complaint to the Head of IT which is where my earlier comment of "I am trustworthy and this is why I earned my position" came from. Needless to say I was told to just relax the security for this case.
Let's just say I wasn't pleased. Perhaps if I'd have had "Is this a test?" in my arsenal, the outcome may have been different.
The one I used that got the most thought from a directors was: "Directors have access to more sensitive data that anyone else in our business. If anything, I need to ensure that you follow the security procedures even more than our other staff."
The response to that one was a complaint to the Head of IT which is where my earlier comment of "I am trustworthy and this is why I earned my position" came from. Needless to say I was told to just relax the security for this case.
Let's just say I wasn't pleased. Perhaps if I'd have had "Is this a test?" in my arsenal, the outcome may have been different.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
