A common complaint I receive from IT professionals is, “Senior management is using very insecure practices.” I have to explain that as long as the senior management made an informed decision and they are aware of the risks they are taking, IT needs to follow their ruling.

In other words, IT professionals do not set policy. They enforce the polices that senior management sets.

For example, an IT professional called me recently about the senior managers choosing to allow their users to plug into customer networks. This practice is an IT security risk for a number of reasons. Still, if the executives understand the risks and say to do it anyway, then IT needs to follow their direction.

As mentioned last week, the process works like this:

1. IT makes suggestions to senior executives, making sure the executives understand the benefits, drawbacks, risks, likelihood, and the extent of possible damages.
2. Then, the executives reflect a summary back to IT so the executives are certain they completely understand.
3. The executives make a decision and written policies are produced or adjusted as required.
4. IT will enforce the policies and act on them accordingly.

The key is that the senior executives make an informed decision and truly understand the risk.

And yes, in case you are wondering, it is often the CEO’s computer that is the biggest security risk in most organizations because of all the “special treatment” and “exceptions to the rule” that CEO’s demand from IT.

Please post your comments on this blog.