In other cases, security is put in place that is inappropriate, resulting in security so burdensome people have to go around it. Lieberman said that's the fault of untrained IT staff. "The hardest thing to find in companies is the willingness to train their employees and send them to school. A lot of the systems you see are inappropriate. So they just open the whole thing up to everyone," he said.
Lawrence Pingree, research vice president, IT security, at Gartner confirmed the lack of security often comes from untrained IT personnel. "It is very common for IT personnel to not have limited access privileges. In many cases this is due to a lack of understanding of the need for access or simple resource constraints to limit access in the correct ways," he said.
Steve Willis, CISO of CallidusCloud on Demand, has seen these scenarios before. "It's commonplace to see burdensome security. The impression is that it's going to suffocate our ability to perform and be agile. That just means you have the wrong processes or technology or there's some other thing that hasn't been tuned to your specific needs," he said.
At the same time, the solution for many people is just to go around the security barriers. "Culturally, [at some firms] certain things may be just a wink and a nod and a wave, like what you don't know doesn't hurt you. You may circumvent a primary step in a process or logical controls, and someone might say 'well that person just makes it better. We don't care to know how they do it'," he said.
So there are times when a valued employee can get away with something that other employees could not do, simply because they are the company rock star. "Depending on whom that person is in importance to the organization, they may have different levels of leniency involved," added Willis.
Pingree echoed the belief that most employees aren't being malicious or lackadaisical but just trying to get work done. "I don't believe most people intentionally break the IT policies. Most are looking to get their jobs accomplished so they skip appropriate steps or lack the knowledge of how to execute their jobs within the guidelines," he said.
How to fix
Pingree feels taking a risk-based approach (a pro-active, prevention-oriented line of attack) to security controls is always the best strategy. "The fact is that regulations are largely formed to address risks, but they tend to be quite behind in terms of advancement against the threats. Regulations force the hand of organizations' desires to avoid doing proper security," he said.
Finding the talent to build security systems isn't easy, he added, and his solution is what Lieberman feels led to the problem. "I'd say that the reality is that security takes a skill set that incorporates so many disciplines that it is challenging to find those that have the appropriate skills. This is what drives outsourcing," he said.
Lieberman agreed. “Hire a consultant or outsource IT. Or, pay to send them to real training. There is no cure for stupidity or consistently poor judgment.”