Why executives should never be exempted from cybersecurity policy

When I see organizations enforce solid cybersecurity policies for all employees and then turn around and make exceptions for their elite -- executives -- I cringe and scratch my head. My mother used to use "do as I say, not as I do" tactics on me during my teen years. It didn't hold water then, and it still doesn't more than 50 years later.

Now, I must admit, I come with a healthy bias when it comes to executive exemptions as I hail from the school of leading by example. As if CISOs and their teams didn't find their plates full enough already, without having to deal with C-suite denizens blithely flouting the rules and setting a very poor example indeed.

I caught up with Jon Taylor, director of security for Versa Networks, who encapsulated the issue with utter simplicity -- for companies governed by a board (public or private), using the tools available, the need for compliance allows no space for exceptions.

"These kinds of regulations and guidelines apply risk ratings to the CxO as an individual who personifies the name and face of their organization," Taylor says. "It's important to show the CxO that if they were to be the center of an incident exactly what data would be in danger, how the company would be impacted, and how they themselves personally could be impacted."

Convincing the C-suite they don't need exemptions

For privately held companies it "becomes more of an education for the C-suite," Taylor says. "They need to understand just how easy it is to target them as individuals and the cost that can bring to their organization when they are compromised."

Projecting a similar view was Corey Nachreiner, CSO of Watchguard, who also advocates for the importance of leading by example and from the front. He notes, for "educating the C-suite that a good cybersecurity program and culture is only successful when it comes from and is fully supported by the top leadership. CSO/CISOs should not accept a position as the head of security unless they know they have the full support of their board and executive peers."  

Without educated leadership-level support a culture of security will never succeed, Nachreiner says. "If your leaders do not follow the proper actions, it teaches employees that they don't have to either. Executives should already have an understanding that they are one of the most targeted groups for phishing and spear-phishing attacks, so they should want to follow good security practices and, frankly, need to remain more vigilant than the average employee."

Cybersecurity policies are there to enable business, not to constipate them. "If a security policy really does impede business to the level that an executive wants to bypass it, you should consider if the policy is necessary," Nachreiner says.

"Cybersecurity isn't about an ivory tower of perfect security practice, but rather a risk-management equation that allows your company to do business with minimal risk. If a security policy is really preventing or slowing business, and the risk associated with it is less than the value it offers the business, then you can also make it an accepted risk."

The C-suite might need a more bespoke level of security

Some may say that the C-suite needs to receive the white-glove treatment. I count myself among those who believe the C-suite may have a need for a dedicated or accelerated level of support. I used the word may as it isn't always the case, but a cogent discussion argues for having a dedicated team to ensure their ability to function is always "on" even if perhaps from time to time degraded due to cyber incidents or circumstance.

This begs the question, should the C-suite be wrapped in cotton or simply provided a more bespoke level of support? Taylor believes that 100% protection isn't possible and recommends a uniform approach to protecting the C-suite. He espouses the strategy of "more in-depth monitoring of these users' activities in order to identify indicators of compromise (IoC's) targeting the executive team and their extended families."

Nachreiner was unambiguous: "Don't do this anymore than you would with any other high-level or privileged employee. Executives should have the same security controls, policies, and acceptable usage guidelines as all your employees, with the only added measure being you treat them like privileged users or high-value targets"

Taylor also advocates for tighter controls and access limitations to be placed on C-suite users. "The CFO might have access to all financial data for the company but is restricted from any HR-related material that the CPO may have. The CIO will have access to reports that can be generated via tools, but not have read or write access to individual systems. The CEO, of course, has access to reporting systems but has no read or write access to individual systems within specific departments. This helps to create a buffer zone that if someone in the C-suite is compromised for any reason, the blast radius for the damage caused can be minimized."

Infosec teams must reduce the risk to enterprise above all else

The infosec team must not and cannot stand back and wait for disaster to strike just because leadership is an ass. They must take steps to augment the security surrounding the wrong-headed decision and reduce the risk to the enterprise. 

I suggest to those who embrace the philosophy of "rank has its privileges," that you may find yourself on the outside looking in when it becomes clear that you opted out and are now responsible for the mess the CISO and their team are now cleaning up.

That said, Nachreiner provides worthy and prophetic words of advice for CISOs on providing exceptions to the C-suite, "Allowing exceptions for them, or trying to do something completely different is a slippery slope." He continued, "If you find they refuse to do what any other employee is required, and they care so little about security that they bypass policy, it's a sign that you do not have full C-suite support for your security program."

If you, the CISO, do not have the C-suite support, then a fork in the road has presented itself. As I discussed in a prior opinion piece, CISOs need to know when to fold and toss in their cards.