Over the years I have had a nagging suspicion that only today was confirmed. I ran into a study done last year done by a company called Cryptzone who interviewed 300 IT Security professionals at a trade show. The result are not pretty. Almost half of upper management think they can sidestep security policies and believe that "the rules don't apply to them" when it comes to complying with IT security policies and procedures.
A whopping 42% admitted that upper management are regularly ignoring policies and procedures and fail to perceive that perhaps instead they should have been setting an example to employees. Worse, 52% of those surveyed agreed with the statement that upper management have access to the most sensitive information yet have the least understanding of security.
This shows where the problem starts in many cases: IT Security to be successful needs to be driven from the top down, and given aircover from the Chairman and CEO level to be truly effective. As long as that does not happen, you will continue to read about databreaches in tomorrow's newspaper. You can see the whole survey and the results: download the Perceptions of Security Awareness Study
A whopping 42% admitted that upper management are regularly ignoring policies and procedures and fail to perceive that perhaps instead they should have been setting an example to employees. Worse, 52% of those surveyed agreed with the statement that upper management have access to the most sensitive information yet have the least understanding of security.
This shows where the problem starts in many cases: IT Security to be successful needs to be driven from the top down, and given aircover from the Chairman and CEO level to be truly effective. As long as that does not happen, you will continue to read about databreaches in tomorrow's newspaper. You can see the whole survey and the results: download the Perceptions of Security Awareness Study