A recent global survey of 300 IT security professionals revealed that boards of directors are the least likely members of an organization to respect security policies and procedures.
The survey, conducted by Cryptzone, an enterprise security company based in Sweden, suggested that senior executives are doing a poor job of setting a proper example for the rest of their organization. If others in the company are under the impression that their leaders neither understand nor respect security policy, they are bound to act similarly.
Among the results of the survey:
56 percent of respondents said boards of directors think IT policies do not apply to them.
52 percent agree with the statement that the board of directors have access to the most sensitive information in the organization but have the least understanding of security.
42 percent said boards of directors and senior management ignore or flout security policies and procedures.
“There’s a saying ‘do as I say, not as I do,’ and this study would appear to demonstrate that it resonates in the executive corridor of far too many organizations today,” said Dominic Saunders, senior vice president of the NETconsent business unit at Cryptzone. “However, there’s also a phrase ‘united we stand, divided we fall,’ and that’s what each person who doesn’t tow the security line is potentially exposing [his or her] company to.”
The survey findings showed that 65 percent of companies offer the same level of IT security training to each person in the organization, regardless of his or her role.
The survey emphasized that everyone should be aware of their company’s rules, why they are necessary and the consequences of disobeying them. It recommended that organizations find ways to ensure that everyone adheres to security policies and procedures. A way to do this is to differentiate IT security awareness programs so that people can focus on the policies and procedures that apply specifically to them. In doing so, they are far more likely to remember and adhere to the security rules that relate to their job functions.
Experts said some people need this training much more than others.
“The reality of this practice is money is being wasted training people who might not need it while not providing enough to the most at-risk groups,” Saunders said. “Instead, training should be tailored to reflect the level and depth of information people are privileged to, balanced against the risks they’re exposed to.”
Eytan Hirsch is a staff writer for SHRM.