I've found myself in a tricky situation where our CEO is using their own device, which a family member has "secured." They're traveling abroad with it, and I'm really worried about the security risks involved. Currently, we don't have a strict Mobile Device Management (MDM) policy in place, but I'm thinking it's about time we do something. I want to protect their Office 365 (E5) account without letting them know that we've noticed something off about their setup, as they've been using this device without any issues. Looking for advice on how to wrap their account in better security without cutting them off.
5 Answers
This really boils down to a 'not your problem' scenario. You could suggest the company buys the device from the CEO to make it company-owned, or start putting together a BYOD policy to create some structure around this situation.
One option is to have the CISO draft a policy that exempts the CEO from IT security requirements, but clearly states they're responsible for any risks. That way, you establish the accountability without directly confronting them about their device choice.
Perhaps suggest enrolling the CEO's device in Intune. This will allow you to enforce security policies similar to a typical work device. If they resist, emphasize that it's for their own security.
Honestly, the best approach is to explain the risks to the CEO. They need to understand the implications of using a non-company device. If they choose to keep using it, make them formally accept the risk—sometimes that's all you can do.
Since he's the CEO, he can technically do as he pleases. You might want to emphasize the advantages of using Intune and what a breach could mean for the company as a whole. If he doesn't take it seriously, you might have a long fight ahead.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures