A company usually takes its cues from leaders at the top: What the top executives emphasize will become the organization's imperatives, and what they ignore will typically fall by the wayside.
It is the same with IT security. If corporate leadership is not embracing and underscoring the need to follow the rules of good cybersecurity – or almost as bad, if they promote them for everyone else but don't follow those guidelines themselves – the results can be devastating.
“Leading by example comes from the very top,” says Darren Argyle, CISO and managing director for Markit, a financial services and information company based in London. Hence, Argyle says that at the very start of Markit's security awareness campaign, his team recorded a video of the CEO informing all employees that he takes security seriously and that it is everyone's responsibility.
“From what I have seen, this problem is pretty much universal,” says Perry Carpenter, research director covering security and risk management technologies and strategies for Gartner. There are some companies where leaders are trying to set the tone, he explains. “But in the vast majority of organizations, where top executives are trying to get the job done, sometimes the rules become secondary because of their position.”
However, despite their assurances that cybersecurity is a shared responsibility, C-suite executives are often so busy, or traveling or working remotely so often, that they may take shortcuts – like accessing corporate files or systems from a personal laptop or device, downloading sensitive documents, or in some way making an end-run around security protocols in service to convenience. And that can cause big problems.
“I believe this problem is significant,” says Stephen Gates, chief research analyst and principal engineer at NSFOCUS International Business Division, which handles network security and advanced analytics. “When executives and employees don't adhere to rules and procedures, they make themselves and the organization vulnerable to outside and inside security threats… creating a much larger issue for security teams.”
David Shearer, CEO of ISC², a nonprofit information and software security association, says he has seen this as a growing problem in the past. Although, increasingly government agencies and companies are beginning to add performance elements related to IT security to senior executives' contracts, to tie their compensation in with meeting security goals – just like sales goals – and to make them more cognizant of the importance of security to the organization, its brand and its reputation, he says.
“What gets measured gets done,” Shearer points out. “Everybody wants convenience and that has been our biggest obstacle in cybersecurity.”
Darren Argyle, CISO and managing director, Markit
Perry Carpenter, research director, Gartner
Steve Conrad, managing director, MediaPro
Steve Durbin, managing director, Information Security Forum
Stephen Gates, chief research analyst and principal engineer, NSFOCUS International Business Division
Greg Schaffer, CEO, First72Cyber
David Shearer, CEO, ISC²
Indeed, Shearer says that IT security measures are often seen as obstacles by users, and often that includes the top executives “who will ask for a pass” because they are busy or traveling or just pressed for time.
Other security industry insiders agree with Shearer that, while the problem exists, more organizations are taking steps to try to make their leadership aware of the need for IT security compliance – from the top down.
“We're becoming better at it, but there's always a danger,” says Steve Durbin, managing director for the Information Security Forum, a global organization dedicated to investigating, clarifying and resolving key issues in information security. “Very few [executives] are deliberately ignoring policies, but they may be unaware or see no harm in what they're doing.”
Greg Schaffer, CEO and founder of First72Cyber, a risk management and analytics company, admits that while it has been fairly commonplace for the C-suite to have a different set of rules placed on them, the recent publication and regular attention on breaches have contributed to a better understanding of this problem.
“It's not lost on them that this is a major issue,” says Schaffer, also a former official at the Department of Homeland Security. Based on his experience in both government and the private sector, Schaffer believes top executives over-stepping their IT security boundaries is typically more of an issue in private sector companies, since the government is stricter and more unbending in its IT security rules and protocols.
Still, that is no assurance that even the most highly placed official will not run afoul of the rules. Case in point: The email scandal that has embroiled current presidential candidate Hillary Clinton, which reportedly stemmed from the then-secretary of state insisting on using her personal mobile device and computer for her government emails.
“We work with some very large enterprises and it's rare that there hasn't been exposure by the top executives,” says Steve Conrad, managing director at MediaPro, which handles enterprise training for IT security. “The risks are changing all the time. And the threat actors out there are consciously targeting the CEO. They're figuring out how to get their attention and hitting executives on purpose.”
One prominent example: A current scam gaining popularity is one where a fraudster posing as the company's chief executive sends an email to a company's chief financial officer, or another executive with payment authority, demanding that they send out a wire transfer immediately. If executed well, with ill-gotten information from a comprised CEO's account, the CFO usually complies and the enterprise is out the money from the transfer, and potentially has shared delicate financial information with crooks to boot.