The polls have closed on the Are You Ethical Poll. Pretty good turn out for the first poll in a few weeks. Here's how it breaks down.
When it comes to company policy do you:
A. Follow all the rules
B. Have work arounds that are necessary and approved
C. Break the rules how ever I can
D. We have Security Policies?
It turned out about like I thought it would. What surprised me the most (although I'm not sure why) was the number of you who answered D. We have Security Policies? This shows that lots of companies do a poor job of communicating the policies that they do have. Maybe it's because they were created and haven't been seen since. I don't think giving a new hire a book full of documents or a link to an intranet site is a good way to inform them of security policies. But I guess it allows companies to say that they have done their part.
To those of you who answered A. Follow all the rules, I say LIAR!!!! Just kidding. I know that there are those who do and I wish that there were more. It's not an easy thing to do. There are too many things that are easy to get around and really don't cause any harm. They just happen to be against policy. For those who do get around things w/o approval, or even those who do get approval, be careful. Not so much because it can allow bad things to happen (you're a security professional you know better) but because if end users know about it then it can harbor bad attitudes towards IT and we don't need any more of those.