For Privacy & Security, when Technology and Intelligence compete...it's no contest

With the recent news of the capture and death of Osama Bin laden, one thing was evident and overwhelmingly clear: our brilliant and sophisticated technological superiority notwithstanding, at the end of the day it was pure, simple human intelligence that produced the dramatic results.

Take away: though technophiles like me love to layer on security tools and controls to maintain data and privacy security throughout the organization, it is the simple sentence and/or concept that hits home to the end user employee who sits on the frontline of the trench warfare between customer confidence and blaring headlines that it is he and she who really determine our long-term success.

Being able to translate the importance and criticality of security being 'everyone's job' (and not just InfoSec's) within the company, is the single most valuable ROI of security & privacy awareness a company can realize. Forget DLP, NAC, anti-virus, encryption, etc. translating 'intelligence' into accessible and actionable steps your employees can take to protect the company's 'crown jewels' will ultimately be the reward your business folks will be looking for, appreciate, and best of all, value.

Bring Your Own Device to Work and Help Put the IT Department Out of Work?!?

I was a having a conversation with another fellow security professional at the CSO Perspectives seminar a few weeks ago and he used the word “disintermediation” to make a point about his website. We had a bit of a chuckle about how that word that was used (rather, overused) during the dot-com days. The context back then was that the new, online world was going to obsolesce the traditional world of bricks-n-mortars through the ‘disintermediation’ process of cutting out the no-value-adding, costly infrastructure of middle-men.

This got me to thinking about the topic I was speaking about at the conference: the way to bring about a culturally acceptable balance between security and the use of consumerized IT. That is, how could IT departments allow users to bring and use their own equipment in the work environment and still maintain a modicum of security and privacy?

Why is this issue even a concern? In this cost-conscious environment where businesses are constantly being pressured to reduce expenses as much as possible, doesn’t consumerized IT actually make sense?

In some ways, yes. The primary downside of this veritable technological tsunami is the impact it has had on the dynamic between the typical user and the IT department. The user demand (especially among C-level types) of bringing in a new iPad, iPhone, Droid, Xoom, etc. that they got for Christmas and expecting it to be hooked up to the company network, inevitably highlights the tension and traditional IT resistance of allowing unknown/untrusted devices into the inner sanctum. The risks are obvious and myriad. These risks have led many organizations to firmly resist consumerization by restricting personal devices/consumer electronics into the workplace.

I argue that regardless of the formal or informal position of the IT department, or even the company policy in general, this faction of users is growing and is in fact disintermediating the IT department by working around them to get their devices to work at work. The ‘Just Say No’ position of many IT departments is in fact making the company less secure overall as it is causing employees to circumvent the rules blockades put up and kept in place from years past. 

The driver of this form of insubordination is clear: these days, the boundaries of a company’s information network are not as clearly defined as they were in the recent past  - the mobile phone is now the mobile office, for example. The ultimate objective of consumerization is simply work and personal life converged onto a single device. There is no longer credibility in walking around with five devices clipped to your belt, looking like something out of Batman Beyond. Today, if you walk into a meeting and plop down more than one device on the table, you are immediately branded a dinosaur.

The primary theme of my speech was that that the trend of consumerized IT is irreversible and futile to resist, so CIO/CISO/CTOs need to seek a culturally acceptable middle-way of accommodating the movement, while still setting reasonable guidelines.  The benefits of cooperation with a workforce who is more tech-savvy than ever are numerous, not the least being the reputation of IT as supporter of the business will be greatly enhanced. No longer IT will be identified as the “Dept. of No.”

Here are few more reasons why it makes sense to listen to the sound of inevitability that’s coming at us at 100 mph. It’s all about productivity via familiarity of the toolset. Think about how life was like 15 years ago: you had use of all the great technology and software at work. When you came home, all you had was some stripped down versions of that machinery and applications – toys, really.  Today, the scenario is reversed. Employees who have state-of-the art technology at home can’t reconcile the fact that when they come to work they have a Windows XP, or worse, Windows 98, machine that takes 2 days to boot up.  Pent-up user demand (I want my MTV!), especially of the Gen X & Y and Millennials should not be underestimated,  and consumerized IT can be the Holy Grail of employee satisfaction.

The toothpaste is now out of the tube, folks.  Employees are a lot more productive when they have a say on the tools they use every day. What we as IT professionals need to do is to show leadership & get it right so that the company is protected & users are happy. At least for now.