Executive: I’ll be at an offsite meeting with the head of Human Resources and Accounting for the next couple days to go over our staffing strategy for the next year. Can you get the personnel information for everyone in the department, compensation plans, and the performance reviews from the past year and put them into Dropbox for me?
Assistant: I can, but at the company briefing last week the gal from security said that, with all of the data breaches lately, if there was going to be any sensitive data leaving the company site that they’re providing a USB encrypted drive for transporting the data. Would you like me to do that instead?
Executive: I was hoping to travel light on the tech since I’m going to be taking my golf clubs to go shoot a few rounds after the meeting. Besides, I’ve already got my USB mouse, the extra laptop battery, and the power brick for the laptop, on top of my phone charger and the USB cable. All the different ends on the cables get confusing and who needs the hassle of another device to lug around? Just put them into Dropbox please. They’ll be fine. The only people with my Dropbox account info is me, you, and my wife. She likes to upload pictures of the kids and share them with people sometimes. Anyway, it’ll be a lot more convenient for me since I can just pull them down from the cloud whenever I need them and not have to worry about it.
Assistant: I’ll have them uploaded. Enjoy your meeting!
While one might think the situation above to be an exaggeration just to illustrate a point; I can honestly say that it is not. In fact, the situation that was described has actually occurred. One of the most common reasons that situations like this occur is because in many organizations, security only applies when it’s convenient for a user or group of users. In most of these types of situations, the user groups that tend to have the least regard for the company’s security policies are the ones that wield some sort of decision-making power.
On the flip side, the organizations that I’ve found that don’t look at security from the “when it’s convenient” perspective are those where security is an initiative that flows from the CEO on down and they take also tend to take security very seriously. This means that the CEO adheres to the same security policies as the common end user. It just goes to illustrate the power of leading by example. At the end of the day, security will not be the major inconvenience that it is sometimes painted to be if expectations are managed and flow from the top down.