Dangers of Security Policy Override and Violations
In order to manage cyber and data security risks, organizations assign a qualified person tasked with creating and maintaining a security program which includes policies, standards and guidelines. A security policy is a high level security statement that dictates how a particular security risk should be handled throughout the organization such as “all devices must be encrypted” while standards require the use of acceptable methods and tools for implementing and enforcing the policy such as the use of “Advanced Encryption Standard (AES) 256” while guidelines offer additional information.
Managing information security is one of the highest priorities in many organizations, especially those operating under heavy regulatory mandates and requirements. As we all know, information leakage and data breach is a high risk that can negatively affect organizations’ reputation and financials. Organizations that experience a personal and private data breach can expect to face loss of customers, industry trust and credibility, money, competitive advantage, and increased regulatory scrutiny.
It has been acknowledged that some executives and members of the management team may override information security policies (and let other employees violate the policies) by asking the CISO for a special treatment because the policy is a burden to their productivity and a bunch of other reasons.
A security policy override may come in a various forms. If the violator feels powerful in the company and knows that his or her wishes can not be rejected, the person will make a formal request to bypass the security policies at will. Other times, the person may just ignore the security mandates and violate the security policies without notifying the CISO as they might feel it’s a waste of time, the policy does not apply to them, or the request may be rejected and that they can get away with it when detected because of their powerful position.
To be fair, some executives may abuse their power and override security controls because either they don’t even know that their actions are in violation of security policies or they are not fully aware of the consequences of their security violations and how their actions may pose a risk to the company. As mentioned, they might just ignore the security policies because they are busy or even worse they might be planning to commit a fraud.
To deal with security violations, strong detection controls must be in place and communicated widely to make sure everyone knows that they are being watched and that there are serious consequences for violating the security policies. That said, detecting security violations can be a daunting job and sometimes impossible as the violators may be highly technical who can clear their tracks after they achieve their goals. Also, when a security violation is detected whether proactively or during unrelated audits, usually nothing happens if there is no Board and executive committee support to deal with such violations. Therefore, it is extremely important that the security program includes provisions for dealing with the violators and that the provisions are approved and supported at the highest levels of the executive board.
Sadly enough, the CEO and other high ranking officials have other business priorities that neglect security until a security breach occurs and it is then and only then when they make decisions within minutes to improve security which they did not make before the breach after dozens of business cases to explain the risk.
In conclusion, executives and management team members like all other employees should not be exempt from following any of the company’s security policies and procedures in order to ensure continued protection of company assets including confidential information.