Cryptzone queried 300 IT security professional foot soldiers attending Infosecurity Europe 2012 in an attempt “to find out their belief as to who respects security the most within their company;” and it is not senior management. Asked the blunt and direct question, “Do you believe directors think IT policies don’t apply to them?”, 56% agreed.
Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42% it is still surprisingly high. Fifty-two percent of respondents said, yes, “The board of directors have access to the most sensitive information but have the least understanding of security issues.”
Cryptzone senior VP Dominic Saunders commented, “There’s a saying ‘do as I say, not as I do’; and this study would appear to demonstrate that it resonates in the executive corridor of far too many organizations today.” Standard business philosophy states that a company’s attitude is driven by senior management. If senior managers are thought to flout security policy, staff will act similarly.
It is one of the major problems faced by CISOs today. Nigel Stanley, practice leader for security at Bloor Research, explains, “Seeing wanton disregard at a senior level for the policies and procedures put in place to protect an organization is infuriating, and a real challenge for the CISO who must balance the needs of a business with the requirement to protect assets.”
“It would seem,” concludes the Cryptzone report, “that although security and governance issues are increasingly being discussed at board level, the perception remains that senior personnel believe that IT security policies and procedures apply to the general workforce, but they don’t necessarily practice what they preach.”