What do you do when your company's executives insist on special treatment that violates your security policy? This week, I ran into this problem.
A company executive decided that he should not be constrained by the same security policy everyone else has to adhere to. This attitude is really nothing new -- executives often get special treatment, presumably because they have some direct influence over IT's budget and resources -- but this is the first time I've actually heard it said out loud. Usually the "executive privilege" is discussed quietly, in back rooms and hallways, because it's demoralizing for regular employees to hear that VIPs are held to a different standard than the rest of us. Special privileges for executives tend to be a dirty little secret.
Here's what happened. The executive in question wanted to download a program from the Internet, to install on his laptop. Our policy is to block people from downloading and installing stuff found on the Internet. I think that is relatively normal, given the broad range of risks associated with random Internet software, such as malware, Trojans, license violations and compliance concerns. So he was blocked from downloading the software installer by our Web filtering system, which is configured to enforce our policy. He then contacted our help desk, whose staff has been trained in the process for handling exception requests. So far, so good. The help desk offered to download the software for our esteemed VIP, which is part of the process. Of course, that would have to be approved, but it's the first "counter offer" in our process -- giving requestors what they need, without giving them access.
This is where things started to break down. The executive objected to being given the installer file by the help desk. He argued that he and the other execs should not have their Web browsing activities restricted at all! He demanded that the entire category of "downloads" be unblocked for his account. In the process, he was overbearing and unprofessional (in my opinion, after later looking at the email exchange), essentially bullying the help desk representative (who remained very professional). So the help desk representative proceeded to the next exception level, which is to provide a request form to unblock the category, as requested. Now, to be honest, I would not have wanted to approve that request. But I didn't get the chance, because the executive signed off in a huff, pulling rank. He could have followed the process, but instead he insisted on being above the law.
That's when the help desk passed the incident along to me. I quickly reviewed the exchange and was really kind of shocked at the behavior and demeanor of someone who is supposed to be a professional and a representative of our company. So I forwarded the email exchange to my boss, the CIO, with a note that we should talk about this executive's approach. I fully expected that we would have a discussion the next day about how to approach this executive to get him to stop bullying the help desk and pick on someone his own size.
I was wrong. My boss promptly sent a response to the exec telling him that he would talk to me about our "broken process"! Instead of backing me up, my boss chose to placate the angry executive. Should I have been surprised by that? Probably not. But our security policy is really solid. It's the first thing I built when I started as this company's security manager, specifically to establish expectations and authority. And it's approved and signed by the CIO himself. I can understand how there might be a hidden, entitled class within our company whose members don't think the rules apply to them. But what I didn't expect was the backlash on me, especially over such an obviously normal policy, for which I have a reasonable exception process.
On the bright side, at least my boss didn't include my comment about "approaching the exec" in his response about my "broken process." He thoughtfully cut that part out. So I suppose things aren't as bad as they could be. But wouldn't it be nice to live in a world where people act professionally, and IT leadership stands behind their security policy and applies it equally to everyone?
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.