The biggest challenge for many business when dealing with the consumerization of IT and BYOD trends is often cultural. IT needs to cede control of devices, app choices, and where/when employees and executives actually interact with corporate data. That’s a cultural shift for IT. There’s an equal cultural shift that needs to happen when it comes to users and executives who must take at least partial responsibility for keeping their iPhones, iPads, or other devices secure along with the business data on them.
This requires user education and solid communication between users and IT. To be truly effective, security policies need to be endorsed by senior management and adoption and understanding of them needs to follow from the top down through the organization.
Unfortunately, that isn’t what’s happening in many businesses. In fact, the people most likely to ignore or violate such policies are C-level executives, members of the board of directors, and even IT.
That’s the story told by a recent study (PDF link) by Cryptzone, an enterprise security company based in Sweden. The study asked 300 security professionals a handful of questions about security in their organization and the results show that the people with access to the most confidential information are most likely to ignore security policies that they feel apply to rank and file employees but not to them.
Here are the two big money questions from the survey.
- Do you believe directors think IT policies don’t apply to them? – 56% yes, 42% no, 2% don’t know
- Do your directors and senior management ignore or flout security policies & procedures? – 42% yes, 53% no, 5% don’t know
Digging deeper Cryptzone explored how IT departments communicate security information to executives and employees.
- Do you give the same amount of IT security training to everyone in your organization? 65% yes, 31% no, 4% don’t know
- If IT security training is differentiated, what is training based on? 16% risk, 64% job function, 8% compliance, 10% new starters, 1% breaches or security incidents
Getting back to the board or directors, 52% of IT security experts agreed with that the board members have access to the most sensitive information but have the least understanding of security issues – 43% disagreed and 5% said they didn’t know.
The last question in the survey asked which groups in a company are least likely to follow security policies and procedures. Nearly half (43%) said upper management in some fashion (17% CEO, 6% CTO, 20% senior managers) and one out of five IT professionals (20%) said that their own department was most likely to fail to meet security needs.
The study highlights an issue that has been a challenge for IT. As IT becomes a facilitator of technology rather than arbiter or purchaser, the need for so-called soft skills like user engagement, effective communication, and developing personal relationships with other departments have become core needs. Taking that to highest levels in a company is an extremely daunting prospect and yet the alternative is potentially being blamed when security processes are ignored and result in breaches or other incidents.