IT professionals have to cooperate

A common complaint I receive from IT professionals is, “Senior management is using very insecure practices.” I have to explain that as long as the senior management made an informed decision and they are aware of the risks they are taking, IT needs to follow their ruling.

In other words, IT professionals do not set policy. They enforce the polices that senior management sets.

For example, an IT professional called me recently about the senior managers choosing to allow their users to plug into customer networks. This practice is an IT security risk for a number of reasons. Still, if the executives understand the risks and say to do it anyway, then IT needs to follow their direction.

As mentioned last week, the process works like this:

  1. IT makes suggestions to senior executives, making sure the executives understand the benefits, drawbacks, risks, likelihood, and the extent of possible damages.
  2. Then, the executives reflect a summary back to IT so the executives are certain they completely understand.
  3. The executives make a decision and written policies are produced or adjusted as required.
  4. IT will enforce the policies and act on them accordingly.

The key is that the senior executives make an informed decision and truly understand the risk.

And yes, in case you are wondering, it is often the CEO’s computer that is the biggest security risk in most organizations because of all the “special treatment” and “exceptions to the rule” that CEO’s demand from IT.

Please post your comments on this blog.

1 Comment

  • Chris McLellon December 30, 2010 at 9:32 am - Reply


    This is one of my favorite blog postings! This is such a true statement. As an IT Manager I do not consider my suggestions above anyone in our company. I almost feel sometimes that some IT Professionals come across as power hungry and don’t understand the real chain of command. I try to stress this to my team as much as possible. We make suggestions and the business makes the decisions!

    Chris McLellon

Leave a Reply

Your email address will not be published. Required fields are marked *