Q
Manage Learn to apply best practices and optimize your operations.

The CEO refuses cybersecurity best practices: Now what?

Some executives don't think cybersecurity best practices apply to them. Expert Mike O. Villegas explains how to handle that situation.

I read that security professionals can get a lot of heat, or even be fired, for not giving CEOs free reign over...

their systems, even if that means allowing exceptions to cybersecurity best practices and policies. If this is true, what are some ways to deal with uncooperative executives who may be putting themselves at risk?

The danger of security professionals getting in trouble or possibly being terminated for deploying security measures on CEO or executive computing resources -- which is required of all other personnel -- poses an interesting dilemma. Information security refers to the protection of data from accidental or intentional disclosure to unauthorized persons, or unauthorized modifications or destruction. If the CEO insists he is exempt from protection levels imposed on the rest of the organization, the security professional basically has three options: (1) educate the executive on the risks and liabilities of not deploying security; (2) document the executive security exemptions and acceptance of business risks; or (3) reconsider current employment.

First, the security professional should try to educate the executive on the risks and liabilities. In some laws and regulations such as Sarbanes-Oxley, the CEO is held personally responsible if the company is negligent in implementing prudent protection of critical information and assets. For example, the CEO of Target was a casualty resulting from the disastrous data breach that occurred November 2013.

If the CEO insists security protection will not apply to him, then the security professional should document the executive's security exemption and ask that he accept the business risks. This is meant for protection since invariably when a breach does occur, the security professional becomes the first casualty. Documenting where the CEO accepts the business risk could potentially save the security professional's job.

If the CEO will not do either, then it's time for the security professional to reconsider his current employment.

Every professional certification and membership in information security, assurance or governance has a Code of Professional Ethics (e.g., SANS, (ISC)2, ISSA). Members are required to abide by these codes to maintain membership and certification. All codes focus on integrity, honesty, law abiding principles and respect for privacy and confidentiality. ISSA's code of ethics, for example, states that the security professional will "not intentionally injure or impugn the professional reputation or practice of colleagues, clients or employers." Be passionate and committed to your profession and that will translate into commitment to your employer. I am confident you will make the right choice.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Mike O. Villegas uses the Three C's to emphasize the importance of security within an organization

Check out these three ways to increase security awareness among executives

This was last published in May 2015

Dig Deeper on Information security program management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

The article does a good job of explaining the options I would suggest.  Education is the big one.   Some companies will even run internal 'black ops' to help better catch people who don't realize the risks of using company assets in a world of cyber crime.

In the end though, if the CEO insist though, there's probably a point you can't push any further, since he does sign pay checks basically.
Cancel
Priorities are always subject to perspective. In fact, the better way to put that is that priorities are subjective and an executive who believes they are doing more for the company by skirting regulations will continue to do so no matter how you try to persuade them. The best IT and security folks can do to keep systems and data safe AND smooth over relations with the big bosses, is to make it as easy as possible for EVERYONE to follow security protocols. Seems easy enough...until you find yourself pitted against the next stubborn C-suite cowboy. :-)
Cancel
Tell them their bonuses will be forfeited if a cyber attack occurs and they had the chance to take the proper step to protect company data.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close