What to do when executives won’t follow IT policies

A common problem when trying to enforce IT policies: Executives and others in the company expect special treatment. Here’s what IT managers can do in those situations. 

When IT policies are written, they’re meant to apply to everyone in the company — including executives, VPs, upper management, etc.

Granting exceptions for those people can create a number of problems. Mainly, the rules are in place for a reason, often to keep data secure. And since those with more power typically have access to the most data, when they break policies the consequences can be especially dangerous.

Beyond that, it’s difficult to get other users to obey the rules if they know that their bosses aren’t being held to the same standards.

Making exceptions to some policies for executives is fairly widespread, according to a recent survey from IT staffing firm Modis regarding companies actions regarding online streaming of the annual NCAA college basketball tournament.

With the games available online — and many played during work hours in the early rounds — some companies decide to limit users’ access to the games. Among the 502 IT pros surveyed by Modis, 34% had planned to either block or throttle access to the video streams. That was in addition to 48% that already place restrictions on viewing non-work content.

However, exceptions will be made, according to survey respondents. Two-thirds of IT pros said they would allow access for the company’s CEO or president, while 52% would do the same for senior employees.

Talk to execs about IT policies

Many IT departments can sometimes experience pressure to make certain people exempt from IT policies — especially when it comes to the rules governing personal mobile devices.

Here are some steps IT pros can take when they’re in that position:

  • Consider how serious the impact of the policy loopholes could be. Granting a few people access to the official streaming site for the NCAA tournament won’t cause security issues, but it could affect network performance, depending on the company’s bandwidth. IT should consider the likely impact of granting policy exceptions before they decide whether to say yes or put up a fight.
  • Explain the reason for the policy. In some cases, the exec or manager might just not understand why a rule is important and may back off after it’s properly explained.
  • Describe the impact the exception will have the company’s performance. Execs will be more likely to understand IT’s position if it’s clear how violating policies could impact security costs and productivity and make it harder to get lower-level users to follow the rules.