Comment Re:Why Gen Z Needs To Change for Work (Score 2) 443
You are correct that this type of request is common from executive, and that IT bends over backwards to attempt to accommodate it. As the Security Officer of my company, I have a Risk Acceptance form that needs to be signed for this type of situation. It requires a signature by an Officer of the company, and if the requester is an Officer, it requires the CEO's signature. As the Chief Executive, the CEO is authorized to sign his own requests. HOWEVER, all of these forms are provided to the Audit Committee of the Board of Directors during each quarterly meeting, so the CEO is very sure that they are "real" requests that he is willing to support and defend. As the Security Officer, I am required to send a Risk Report directly to the Board's audit committee, and if anyone tried to circumvent the risk process, that would be in this report.
I'm fortunate that I have the backing of our executive management for this, but I have worked very hard to develop my relationship with our senior management and board. It helps that our company handles data that is subject to both HIPAA and state privacy laws, and mine is very much a "I am here to keep us all out of hot water and off the front page of newspapers" type of role. And all of our managers are mature enough to know that they are responsible should an exception to the rules end up in a loss to the company, so they are very supportive and cooperative with the controls we've agreed upon as an organization.
The key is cooperation, rather than an us-versus-them mentality between IT, management, and the rest of the business units.