Could You Bring Your Company to its Knees?
There’s a saying ‘do as I say, not as I do’ which seems to resonate in the executive corridor of far too many organisations. In this cautionary tale, we use the saying to create a fictitious scenario. This is created to illustrate just how dangerous double standards can be. Our unfortunate protagonist is the managing director, who believes the rules don’t apply to them.
The headlines said it all, Tom Smith’s company was splashed across the news and he knew someone in his company was in trouble. As a call centre it wasn’t just his own database that was now hanging out to virtually dry, but also those of his 400+ clients, which contained some very personal information. He wasted no time, someone was to blame, and the root of the problem had to be dug up. Tom contacted his Chief Information Security Officer, Rob Banks. The instruction was simple, find the source of the leak, plug it and whoever was responsible was out.
Rob wasted no time in trying to find who was to blame; Tom was more than happy for him to do so. Of course, being interviewed by Rob was weird, but his thoroughness demonstrated that he was taking the situation seriously. As they sat down, Tom reassured Rob that he should treat him as he would ‘any other suspect’ and forget their respective positions within the organisation.
So Rob did.
Rob’s first question caught Tom a little off guard. Yes, he’d seen, read and understood the policies and procedures surrounding information governance. In fact, he’d been instrumental in helping Rob write them!
Moving quickly on to security policy and Tom began to feel like a suspect. He confessed he hadn’t changed his password recently even when the message flashed up prompting him to do so. Making up new complex passwords is not best done under pressure. Yes, in an ideal world, he would change it every four weeks but in reality who was actually doing that? The fact that everyone Rob had spoken to so far said they knew the rules, didn’t mean they actually were following them. And his comment that Tom was in violation of the security policy, was just churlish.
Rob asked Tom if he was aware of the protective technologies the organisation had deployed to provide a formidable security blanket. Aware of them, Tom had had to sit through endless presentations with Rob from various vendors touting them. The social engineering test that the penetration team had conducted was infamous with the stunts they’d pulled. Tom was quick to remind Rob that every highlighted area had been addressed, with no expense spared.
Tom’s encryption habits were the next element Rob scrutinized. Tom had to admit he hadn’t upgraded the program on his PC yet as he was worried about compatibility problems opening older files. He’d started to do it, but he’d been under pressure and it was taking so long, so he’d had to abort it - it didn’t mean he wouldn’t. When he confessed he’d ‘switched off’ encryption on his laptop Rob became really agitated. In Tom’s defence, it had slowed down performance, admittedly not by a huge amount, and Rob had to realise that every second counts. Yes, Tom agreed, he knew this violated the security policy.