“I walked into his office and painted a picture of our compliance status and the potential of an adverse audit finding related to password compliance,” the CISO says. “My CEO was unhappy to learn of this potential and instructed me to notify the account holder and get the problem fixed. I explained the account in question was his and I needed him to change his password. He changed his password and never had the issue again.”
The tradeoffs between convenience and security are becoming less of an issue with many senior executives, as they’re now much more aware of the risks, says Jay Leek, CISO at The Blackstone Group, an investment firm. And people at the lower levels of the organization generally try to do what they have been asked when it comes to security.
Where the challenge now lies is with middle management, Leek says. Often these are the people under pressure to get projects completed quickly and efficiently, and they’re looking for shortcuts such as not using cumbersome passwords to wanting to have more access to data than they might actually need.
“Maybe they don’t have all these insights [about security risks] or they feel more empowered,” Leek says. “I see them taking more risks. We’ve done a good job educating middle management, so we don’t have that issue today.”
But that doesn’t mean Leek never gets challenged. “I’ve had to have some very tough discussions” about security policies. “While it’s uncomfortable and not the happiest times, I’ve been able to at least come out alive and not gotten fired.”
Security if done well should provide protection in a user-friendly way, Dalva says. For example, companies can deploy technology such as single sign-on instead of forcing users to have multiple passwords for various systems and applications.
“Security doesn’t have to be an impediment to getting things done,” Dalva says. “It can enhance productivity” at the same time as providing data protection.
Bring-your-own-device (BYOD) issues have created their share of conflicts between security and business executives.
“When the iPad first came out the first people who wanted to carry them around were the most senior executives. How do you secure this?” Leek says.
“Everyone was trying to figure out how they could get a device that wasn’t ready to deploy” securely, Leek says. “People want these cool new tools or devices like that,” without giving thought to the security issues.
Other sources of differences between security and business leaders have to do with budgets and personnel.
The CISO who didn’t want to be identified says in one budget cycle the company’s CFO made unilateral changes to the IT security budget and cut some items that were compliance and regulatory in nature.
Sign up for CIO Asia eNewsletters.