The CEO refuses cybersecurity best practices: Now what?
Some executives don't think cybersecurity best practices apply to them. Expert Mike O. Villegas explains how to handle that situation.
I read that security professionals can get a lot of heat, or even be fired, for not giving CEOs free reign over their systems, even if that means allowing exceptions to cybersecurity best practices and policies. If this is true, what are some ways to deal with uncooperative executives who may be putting themselves at risk?
The danger of security professionals getting in trouble or possibly being terminated for deploying security measures on CEO or executive computing resources -- which is required of all other personnel -- poses an interesting dilemma. Information security refers to the protection of data from accidental or intentional disclosure to unauthorized persons, or unauthorized modifications or destruction. If the CEO insists he is exempt from protection levels imposed on the rest of the organization, the security professional basically has three options: (1) educate the executive on the risks and liabilities of not deploying security; (2) document the executive security exemptions and acceptance of business risks; or (3) reconsider current employment.
First, the security professional should try to educate the executive on the risks and liabilities. In some laws and regulations such as Sarbanes-Oxley, the CEO is held personally responsible if the company is negligent in implementing prudent protection of critical information and assets. For example, the CEO of Target was a casualty resulting from the disastrous data breach that occurred November 2013.
If the CEO insists security protection will not apply to him, then the security professional should document the executive's security exemption and ask that he accept the business risks. This is meant for protection since invariably when a breach does occur, the security professional becomes the first casualty. Documenting where the CEO accepts the business risk could potentially save the security professional's job.
If the CEO will not do either, then it's time for the security professional to reconsider his current employment.
Every professional certification and membership in information security, assurance or governance has a Code of Professional Ethics (e.g., SANS, (ISC)2, ISSA). Members are required to abide by these codes to maintain membership and certification. All codes focus on integrity, honesty, law abiding principles and respect for privacy and confidentiality. ISSA's code of ethics, for example, states that the security professional will "not intentionally injure or impugn the professional reputation or practice of colleagues, clients or employers." Be passionate and committed to your profession and that will translate into commitment to your employer. I am confident you will make the right choice.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)