I came across a survey report last week from security and investigations service firm Stroz-Freiberg that highlights the fundamental tenet of effective compliance and risk management – tone at the top. The survey of 764 information workers shows that senior managers are the worst offenders when it comes to using personal cloud services to manage work related information. 87% of them regularly upload work documents to personal cloud accounts or e-mail.
This revelation of senior manager culpability in poor cloud security led me to share an ironic prediction with my colleagues – By 2020, enterprises will incorporate senior management redundancies into their infosec maturity programs. No, this is not an official Gartner prediction!
Seriously, though – think about it. If senior managers are willing to bypass the IT organization and its security strategies, then what about the rest of the employees? Now, here’s some real irony – the report says that 54% of lower ranking employees believe that security is the IT organization’s problem. Essentially, these employees are saying, “Catch me if you can.” So, is that passive-aggressive behavior, or what? And it all starts at the top.
Meanwhile, IT is jumping through hoops to make sure that they can prove that cloud service providers used by the enterprise can demonstrate that they have effective security compliance and risk management. And thousands of providers are responding to their customers’ demands for site visits, third party audits, certifications, and responses to bespoke questionnaires that have hundreds of questions. Most often all this activity is driven by compliance mandates – meaning that there are penalties for not properly controlling certain types of information, most often personal information. But when they use personal cloud services, there’s a risk that senior managers and their followers are bypassing all of those controls that IT and the service providers are working so hard to ensure are in place and working.
The question on whether all this compliance and audit activity is worth it is legit. With respect to enterprise-grade SaaS vendors, my colleague Jay Heiser says he’s yet to find a SaaS risk event that had a material impact. If you know of one, please call Jay.
Regardless of what we may think of the risks, the bottom line on the Stroz-Freiberg survey is that tone at the top matters – and it matters more than anything else. When something goes wrong, are senior managers at your organization asking what they did wrong, or are they asking what IT security did wrong? At Gartner’s 2013 Barcelona Symposium I attended an organizational change workshop run by business relationship guru Keith Ferrazi. Keith said that any real change starts with the leader who wants change – and first that leader must change. So, to improve security and risk management, business leaders must look first to themselves and their own behavior, and be open to making the biggest change in their own behavior.
Unfortunately, my colleague Tom Scholtz said in his recent security managers survey that involvement of non-IT leaders in security governance is waning, a finding that is seconded by another colleague John Wheeler who found in his risk managers survey that investment in technology for risk management is shifting to technical security solutions. This lack of involvement by leaders and the dependence on technical solutions is unlikely to encourage employees to follow the rules.
With the explosion of cloud services and the ease of use of personal clouds, it’s unrealistic that employees would quit using them for work purposes. Senior managers need to remember that what they do, their employees will do. Business leaders who seriously assess the risks of personal cloud services, establish responsible (and simple) rules on the use of personal clouds, and then follow those rules themselves, are the ones that will be most successful at protecting against the loss of sensitive information. It’s those leaders and not IT security who will best protect the enterprise.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.