Cisco Study Highlights Common Failures of Enterprise Security Policies | eWeek

Cisco Study Highlights Common Failures of Enterprise Security Policies

Écrit par
Brian Prince
Brian Prince
Oct 28, 2008
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

As actor Paul Newman’s character said in “Cool Hand Luke”: “What we’ve got here is a failure to communicate.”

The well-known quip is relevant to IT security in many enterprises. According to a survey by InsightExpress, one of the key issues surrounding IT is that many employees simply do not understand or know the security policies their company has in place.

The survey was sponsored by Cisco Systems and gathered responses from more than 2,000 employees and IT professionals in 10 countries. What was found was disturbing, if not startling-when asked if their companies had a security policy, there was a 20 to 30 percent gap between what IT professionals said and what other employees said. The largest gaps-31 percent-were in companies in the United States, Brazil and Italy.

Taken at face value, what this means is that many employees are oblivious to the security policies a company has in place. Most of the time security policies were passed along to employees via e-mail; an easy way of disseminating information perhaps, but not necessarily the most effective.

“When most employees get another announcement from IT about some policy or what have you, the typical response is to hit delete,” said Marie Hattar, vice president of Network Systems and Security Solutions at Cisco. “That kind of nonverbal mode of communication, if you are depending on that, is not a very effective way of [informing employees].”

Though the survey did not cover whether employees who received messages about security policies face-to-face were more aware of the policies, holding office meetings gives employees a chance to ask questions and have a voice in the policy-making process.

Beyond the communication factor, there is also a gap between IT’s perceptions of why policies are violated and employees’ true motivations. When employees were asked why they broke security policies, the most popular responses in all 10 countries were either that the policies don’t align with the realities of their job, they need access to applications not included in the policy, or both.

When IT pros were asked why employees violated policy, the most popular answers were variations on the theme of apathy and a lack of awareness.

Here, the problem is most likely related to a lack of understanding on the part of IT pros about how employees use technology to do their jobs. The end result is “greynets.”

“I think generally there is sort of this tremendous growth in user-driven adoption of collaborative application, Web-enabled technology,” said David Goddard, vice president of Security Assurance at Cisco. “There are many examples of that, from initial adoption of instant messaging tools to wikis … if IT is communicating a policy that isn’t agile enough to stay current, or at least be able to communicate the risk associated with those technologies if they’re not IT supported or approved, the users will say, ‘Look you’re constraining my ability to drive towards productivity.'”

Addressing this issue means the authors of security policy need to understand the realities of the business, and look at security as an enabler of business processes rather than a digital stop sign.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.