Last month I wrote an article for Entrepreneur.com titled Identify and Stop Rogue Employees Before They Become a Security Threat. The article focused on the rogue employees we detailed in our eBook, The 3 Types of Rogue Employees - and How to Stop Them - the innovative, the bad and the lazy.
The Entrepreneur article spurred a couple comments that left me thinking there might be some confusion around the term “rogue employee”.
The first comment was left on the actual article:
"What? The first type will be the best employee you ever had in your life, it is your fault if you cannot help him to get higher and get a better position, in accordance with his capabilities, and just want to close him into the damned corporate cage on a low level, where there is no possibility to develop."
The second comment was left on a Reddit thread:
"This is a terrible article. Almost everything in this article goes back to management and the people you hire, as well as the culture you create.
Every business I have ever been a part of willing accepts the risk of the first group, those that break the rules to get shit done. Know why? Because they get shit done.
The last 2 groups is just a matter of hiring / firing / keeping the right people, and that extends beyond security."
When we at Identity Automation use the term “rogue employee” we’re referring to an employee’s actions with regard to IT security policies - NOT their overall job performance. It’s quite possible for a lazy rogue to be very good at their core job function, and still lazy when it comes to security.
The first comment about helping an ‘innovative’ rogue progress higher within a company and get a better position we actually agree with - but that’s not a security issue. It’s a management and mentoring topic. Of course we want to see employees be innovative within their job role. The commenter correctly pointed out that it helps both the company and individual employee. However, when the same person gets innovative with how they’re using company-sanctioned IT tools and opens up security vulnerabilities for the entire company, that’s a different situation. The innovation is no longer helping the company; it’s putting the company at risk.
The second comment mentioned HR issues of hiring, finding and retaining the right people. Again, I agree with this statement, but it’s not a security statement. It would be very difficult to ascertain in a job interview if a candidate would follow security protocol. And as I said earlier, someone could be a lazy rogue when it comes to IT security, but a rock star at their core job function.
The rogue employee labels were always meant to educate IT security professionals on how to do their job better. Knowing and understanding the mindset of the employees whose identities and access they’re managing can be very helpful in doing that. And to be clear, for someone who manages an identity and access management platform, doing their job better means making access easier, and at the same time, more secure, for everyone.
To learn more about rogue employees and how we define them, read our eBook, The 3 Types of Rogue Employees - and How to Stop Them.