Granted, IT is on the front lines of keeping the company humming, but upper management's total ignorance or lack of care is baffling, as I found out at one company -- call it Acme Corp. -- that was lacking in both security and its business approach.
When I first arrived at Acme, I found an IT department that management had no clue how to run and continually had said could be downsized to only one or two people.
Acme doesn't have much sensitive data, but it still has customer data, employee data, and such that should be protected. However, rather than rely on security, the company seemed to hinge more on secrecy (and I don't mean encryption).
Older tech is better, of course
Let's start with the firewall: We didn't really have one. Our setup was from the first dot-com period, when people used routers in NAT mode for protection. Considering how the landscape had changed over the years, that certainly wasn't enough. And given its advanced age, the VPN on the router used weak encryption. Similarly, the wireless network was still using the ineffective WEP (because it was stuck working with ancient wireless access points).
Then there were the systems: a domain and corresponding accounts. Password policy? Weak. Enforcing said policy? Even weaker. How about network share on the file servers? All the access permissions were loosey-goosey. Users on the domain could access any file from accounting to HR. (But who needs file server permissions when half of the office user accounts are in the admin group?)
Company communication = necessary
Acme Corp. is very different from previous companies where I've worked, going beyond the lack of IT direction and to the business in general. In all my months here, we have never had an all-staff meeting to communicate business goals and objectives.
In fact, though I'm part of the management team, we have never had a general management meeting, short of the few executives who would meet weekly to discuss issues. Besides meeting with my boss weekly to discuss assignments and goals, very few tasks have been passed down to me.
This reminded me of the defense companies I have contracted at years ago, where everybody is on a need-to-know basis. But at Acme, you have no sense that anyone is keeping all the pieces together. It's a fly-by-the-seat-of-your-pants approach.
This company was not only missing many IT processes, but also business processes. Some people need a hit where it hurts, and after we were hit by ransomware that left our systems down for days, upper management finally paid attention to IT security. I'm happy to say a lot of progress has been made on the tech side. But I still wish upper management would communicate more about the business to the employees and pay attention to those processes.