Corporate executives have in general more power than others in an organization and some of them abuse their power and override security controls. Often this is due to the lack of knowledge about security risk management and consequences of data breach incidents. After all, which executive wants to deal with the aftermath of data breach incidents specially if they are disclosed in media and public forums?
When it comes to security, policies are designed to manage the security risks and must be applied to everyone consistently in order to maintain security. Controls such as segregation of duties, manager approval, principle of least-privilege, and system security standards are implemented to safeguard any organization from many security risks facing companies and ignoring such controls leaves major risks unaddressed for the companies. Executives like all other employees should not be exempt from following any of the company policies, procedures or any of the internal controls in place in order to ensure continued safeguard of company assets including confidential information.
Usually, when policies and procedures are not followed or are overridden (sometimes by the same people who created and approved them), it becomes extremely difficult to monitor the deviations even if policy exceptions have been formally submitted. If policy violations lead to inappropriate access and activities, it also becomes extremely difficult to immediately detect such security violations because the detective controls are also sometimes eliminated, manipulated, bypassed, or ignored all together. Such violations may be detected during subsequent internal or external audits but it may be too late by then since a security breach for even a short period of time may lead to serious consequences.
Why Some Executives Abuse Power and Override Security Policies
Executives sometimes abuse power by overriding controls because:
- they don’t even know their actions constitute control override and policy violations,
- they are not fully aware of the consequences of their violations which lead to inadequate or lack of controls,
- they are busy and don’t think the same stringent controls and rules apply to them,
- they don’t think they pose any risk to the company if they violate the policies vs. the rest of the company,
- they plan to commit fraud,
- they think they can get away with it due to their positions and perceived entitlement and rights in the company, and
- they might not even have requested such override and it was just granted due to their perceived entitlement.
When executives abuse power and override controls knowingly, it can be malicious and much more dangerous. For example, such power abuse can be intended to commit fraud, which can cost the company immensely.
In some instances, executives share their passwords to systems and emails with their assistants for some tasks because they don’t have time to request a password reset or complete the task themselves. By doing so, the executives share their privileged access rights to sensitive company information and e-mails with their assistants and as such, even for a short period of time, they place their company at risk unknowingly. Although, the decision to share their passwords with someone else is intentional and careless, consequences of such decision and introduction of additional risks for the company are unintentional in this example.
When executives abuse power unknowingly, their actions may not be malicious but can still be dangerous for the company. There are many cases of control override without a formal exception request. One example is the automatic granting of access to restricted areas to executives. The person or group responsible for securing a restricted area like the server room automatically grants the CEO or the President of the company access to such restricted area as if they’re automatically entitled to such access even if they have not requested and don’t need such access. Often the person in charge of securing the restricted area or system is fearful for his job when he is asked to grant access to an executive or even removing unneeded executive access.
These observations suggest that:
- some employees in a company may believe that executives are entitled to unrestricted access and thus a) grant them such access even if they are not requested by the executives or b) would not question executive request for unneeded access or control override,
- some executives may believe the company rules don’t apply to them, and
- employees may think that it may not be worth to fight an executive for compliance and risk losing the job.
In order to maintain a sound internal control environment and address instances of non-compliance, executives should be expected to support and follow the same policies that one of their peers or the board created, approved and expects everyone in the company to follow. It should also be clearly communicated to all employees that executives are not exempt from following company policies and are subject to the same rules and policies as every one else. Much too often, independent internal parties responsible for monitoring the existence of and compliance with internal controls within an organization are reluctant to follow-up on cases when executives abuse power, especially if such abuse is minor for fear of losing their jobs. However, the risk on hand is not always about the executives’ intentions, which may be innocent, but rather how others can take advantage of reduced controls whether the executives abuse power directly or indirectly.
According to Henry Bagdasarian, “this is a nightmare for CISOs because they must decide between pushing back on excessive requests from executives, directors and managers who feel special and risk losing alliances and the job or allowing some exceptions while being accountable for security audit findings or data breach incidents when they occur.”