IT security recommendations exist to protect companies from fraud. Sure, firewalls may make it more difficult to connect to some online services, and two-step identification may seem like it uses up precious seconds, but these measures exist to prevent intrusion. Unfortunately, many top-level executives seem to forget the importance of these policies and security measures. They may feel that since they can be held accountable to themselves, they are not beholden to the same standards as their subordinates.
Experience shows that the opposite could not be more true. Executives that skirt around the rules create a company culture where IT security is not valued. Worse, they establish a corporate culture which prioritizes convenience over risk aversion. Proven strategies can then get thrown out the window, and like someone who forgets to wear their seatbelt, regret often sets in after it is much too late.
When the C-suite holds themselves to a double standard for IT security practices, they fail to recognize two critical points:
The second point is particularly concerning considering that the top-level brass usually has access to their organization’s most sensitive information. Worse, their actions are seen as representative of their company as a whole. So, if a department supervisor has his email account hacked and the press publishes damaging leaked documents, the entire brand does not necessarily suffer. However, when the company president’s name appears on those emails, shareholders may begin to wring their hands.
Going beyond the sheer liability of a security double standard, the C-suite has the opportunity to inspire secure computing practices and sound policies more so than anyone else. Employees showing inconsistent opt-in can be inspired by the actions of superiors who emphasize the gravity of following stated policies. Even more importantly, everyone in the organization can be held accountable all the way down when upper management fulfills their duties to educate every employee and demonstrate sound security practices.
Executives may understandably see the lines blurred between safe and unsafe actions. Practices that they would have found shockingly irresponsible on day one of a new security initiative may seem perfectly acceptable mere weeks later.
To remain vigilant and understand the duty of setting a positive example, an executive should never engage in the following behaviors:
We could fill a book with bullet points like these, but the overarching point is that many people who set policies or enforce them end up taking actions that would easily get lesser employees fired. So always ensure that you are toeing the line when it comes to security policies if for no other reason than to ensure that your lower-level staff does the same.
You can also audit your current security practices and measures to find out if you are creating unnecessary risks. Visit our IT security consulting services page to learn more about how our security audits and managed services can help instill a secure corporate culture from the very top to the absolute bottom with no gaps in between.