As an active information security executive, I have slowly but surely realized over many years that not everyone cares about information security in any company. In fact some people may purposefully violate the established security policies and protocols for their personal gain even if they realize that their actions may place the company and its executive management at risk.
Such individuals may care less about the future risk exposure of their actions especially if they will not be affected by them. They tend to focus more on short term personal gains than long term risks. Most people in any company have their own set of objectives that they want to accomplish easily, quickly, and effectively regardless of the cost to others or their organization. Their attitude is shortsighted and may not support their company’s overall risk management efforts which can expose their companies to lawsuits and their management to fines and jail time.
Below are some examples of employees who may violate the information security protocols and why:
Sales professionals in general prefer to sign a contract and close the deal quickly while pushing lawyers and others to finalize the contracts as soon as possible. They may be willing to make excessive promises to customers regarding future deliverables set forth in the contracts to make the sale happen by keeping the potential customer happy, and collect their sales bonuses. The problem with this thinking is that customers may not stay happy for too long when some promises are not delivered.
Business operations employees may decide to send unencrypted confidential files to others because it’s faster than to request an encryption mechanism from Information Technology.
Information Technology management and application owners may decide that it’s too much effort and inconvenient to facilitate a security audit or to modify the application code to strengthen the security of the system in accordance with the company's standards.
Average computer users may leave their computers unlocked and unattended to avoid having to login again when they return from their short coffee or restroom break.
As you can see, many within organizations have no vested interest in information security and some care even less about information security than others because they may have support in the highest levels of executive management who approve their actions, but the problem is that although the executive management team also has a revenue objective, they also happen to be more vulnerable to the future risks such as lawsuits, fines, and even imprisonment and therefore they at least make an effort to keep a balance between short term rewards and long term risks.
Below are some of the solutions I propose to address this problem:
Establish an information security leadership council comprised of key senior and executive management members. This group should be tasked with security oversight and making decisions on key information security matters.
Designate and empower a Chief Information Security Officer by having the CISO lead the security council or report to the security council chairperson who is a high ranking executive and who has as much to lose from a future risk as to gain from a short term personal reward.
Establish a formal and documented override approval process in case some deviation may be needed from the established security protocols. I would be the first to admit that some information security professional are too rigid and a lack of flexibility on their part may result in the loss of some revenue opportunities. And, I believe that executive management must be able to make key decisions and accept some risks at their discretion, however, this decision must be educated, collective, transparent, and documented.
Have the Human Resources group create disciplinary actions for dealing with those employees who deviate from the information security protocols without proper approvals from the information security leadership council.