• United States




CEOs’ risky behaviors compromise security

Jun 09, 20173 mins

If shadow IT is a problem with business decision makers, that may be a sign your senior security person isn't engaged at a high enough level.

risky business cmo cio
Credit: Thinkstock

When business decision makers decide to circumvent security controls, they typically are trying to gain operational efficiency, not put the organization at risk. But even when done with good intention, they are creating risk. 

A recent study by Code42 found that CEOs are the top perpetrators of shadow IT, even though they know it’s a risk. The study showed that 75 percent of CEOs and more than half (52 percent) of business decision makers (BDMs) admit that they use applications or programs that are not approved by their IT department.

Rick Orloff, VP & CSO at Code42, said this is a prime example of the adage we want to have our cake and eat it too.

“They just want to do it their way. These behaviors are possibly an indication that their senior security person is not engaged high enough in the organization,” Orloff said.

When the senior security folks are reporting to the CEO or the COO, they have a better understanding of what is happening and can make accommodations in order to allow implementation of tools that can be used correctly, Orloff said. “It’s a problem that can be easily avoided if the security decision maker reports to the c-suite.”

Of course, the c-suite folks are not the only ones guilty of these security-defeating behaviors. In some cases, it’s security practitioners themselves who invite risk, Orloff says. “They download a tool and it turns out that the tool has all kinds of risk with it,” Orloff said.

An example of this would be white hat hackers who download a password cracking tool to test the difficulty of passwords in the organization. “Cracking passwords then creates compliance issues,” Orloff said, adding that “there is a way to do that without compromising risk, but it has to be thought through quite carefully.”

In the case of executives who are engaging in shadow IT, Orloff said, it’s likely they don’t have good relationships with the security practitioners. But, Bay Dynamics co-founder and CTO, Ryan Stolte said that for security professionals, self-defeating behaviors are an issue of information overload.

“The pervasive problem that causes them to cut corners is that there’s far too much data about vulnerabilities and threats coming at our security professionals,” Stolte points out.

When practitioners feel overwhelmed, they default to trusting their guts. “They trust their experience and assume they can’t trust the data coming in.”

Organizations are vulnerable and seemingly being attacked from everywhere. It’s easy to get buried under all those alerts, and when they do, “they start falling back on what has worked for them in the past. In the face of insurmountable odds, they fall back on what they know.” 

Security practitioners who are drowning in noise end up taking the hunter mentality and abandon the data itself. “They spot check it and look for very specific patterns that have been successful in the past,” Stolte said.

After the fact, when they send in the forensic experts, they find that the evidence was there, people just didn’t see it.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author