Locking Down IT—and Trust

Imagine a company with several billion dollars annual revenue relying on 2 tools to support internal collaboration:

  • Telephone
  • Email

It gets worse. I'm not making any of this up.

  • USB ports on all computers have been blocked from use.
If you need to upload photos or move something from a digital camera to your computer, Fetch and FTP have been provided for such purposes. Sure, they are slow and inefficient, but, it's the most secure means of moving data and files around, right?
Why such a restriction? The answer offered is that there have been instances "in the world" where viruses or programs have been introduced by USB ports, and, well, you just can't be too careful in today's world. Or, can you? 
  • IT routinely blocks websites from use, e.g., Facebook, Skype and many others.
  • Need a virtual team space? "Shared folders" have been made available for that purpose. Of course, we all know how secure "shared folders" are.
  • Instant messaging/chat and presence detection? IT explained they had never seen a business case that justifies enabling such functionality. There are tiny pockets of usage though an act of Congress was needed for permission to be granted.
  • Desktop video conferencing? Not allowed—even when a senior vice president requested such functionality to work with an employee on leave. Why? "Because I (IT) said so."
  • Room-based video conferencing? Available on a very limited basis.
  • Want to check your email from home? Permission may be granted on a case-by-case basis. Many don't know that they can ask permission.
  • Email attachments over 5 MB are not allowed; Fetch and FTP are.
  • Email is available for 30 days only to (as I was told) "save money on disk space."
  • Mobile strategy? An email-centric company really only needs a Blackberry, right? And, then, only if you are a senior executive.
  • What if you've made it through the IT gauntlet and might have been granted special dispensation to use some special tool or access? You are encouraged to keep this quiet—IT wouldn't want word to get out and create more of a support burden for themselves.

Okay, try to stop screaming. This is 2011, right? It feels so "1980ish."

How many of you would want to join such a company? And, if you did join this company, how many of you would want to stay? Does this firm strike you as being a Fast Company?

Interestingly, 50% of the people surveyed offered that they didn't need any additional tools to support collaboration—what they had met their needs. The lesson? People don't know what they don't know.

When the CIO was presented with recommendations for additional collaboration tools to support enterprise growth and geographic expansion, he quickly asked if the recommendations were really needed as their company might be "state of the art" in their industry with the tools already in place. I've since polled a number of companies in my client's industry and confirmed that my client is not "state of the art."

The CIO is studying the recommendations. Time is of the essence. I look forward to the next steps. Until then, I will continue to shake my head in amazement at what I've discovered here.

Trust and IT Policies

After the assessment was completed, I had an interesting discussion with several people around the blocking of Facebook. Some leaders routinely take the position that a company is well within its rights to block the usage of sites like Facebook. Facebook is, after all, a potentially huge time waster and could be abused. And, of course, that's right. I'd remind readers, however, that an Internet connection allows for the possibility of people wasting time somewhere in cyberspace that isn't blocked.

But, the issue isn't whether Facebook is a time waster or not—it's about the message the company sends when it locks people out of a site that is a significant communications medium within the present and future workforce.

While I'm not a Facebook aficionado (I don't need another distraction in my life), I've observed how different people and different generations are using this tool. Whereas I rely on email to stay in touch with colleagues and clients, that's just me—others are relying on Facebook and tools like it.

So, what does blocking Facebook really represent in a larger sense? "You don't trust me." "You don't trust me to do the right thing at work."

It would be better to establish company policies governing the use of Facebook during core business hours and grant people access. Telling employees (directly or indirectly) that you don't trust them to "do the right thing" undermines relationships. Holding people accountable for producing results is what is really important.

What do you say to a corporate vice president who controls a spend of nearly $100 million annually that he can't use the USB port on his computer to look at information gathered from vendors at an industry trade show or even to download photos from a digital camera taken at a job site? He's wondering "where's the trust" and "where is the true benefit to the company" for being so locked down? Great questions!

How the CIO's world is evolving

I recently met Paul D'Arcy, Executive Director of Large Enterprise Marketing for Dell, at an enterprise product launch event in San Francisco. Paul authored a terrific white paper called CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing that speaks to many of the challenges IT faces in the coming years. While I recommend you read this paper in its entirety, there are a few salient points I'd like to share now:

Already, the expectations of a new generation of workers are resetting the CIO agenda. As social media becomes a foundational component of work life and corporate collaboration, as new mobile devices and application platforms proliferate, and as more employees work from home, traditional corporate policies on personal computer usage, data security, and application usage are becoming antiquated.
The result is the rapid consumerization of IT. We define consumerization as the migration of consumer technology—including electronic devices, platforms and applications—into enterprise computing environments as home technology becomes, in some instances, as capable and cost effective as its enterprise equivalents. Today, the issue is most pronounced with consumer smart phones, media tablets, and Internet applications which have been intentionally excluded from many company's IT policies.
With the cloud providing applications and computing power to anyone with a credit card, employees are increasingly bypassing IT altogether to get the tools and technology that they desire without the hassle of outdated IT processes.
For employers in the United States, the adoption of flexible work arrangements is rapidly accelerating. Over the next year, 35% of employers plan to provide more flexible work arrangements for employees. In particular, 73% plan to implement flexible schedules and 41% plan to implement telecommuting options. As a result, 43% of the American Workforce—more than 63 million workers—will telecommute occasionally by 2016. [Note: While this may be obvious, 2016 is a mere 5 years away.]
As knowledge workers increasingly work from outside the office, it is difficult for corporations to control device usage, application usage, and most importantly, to monitor the flow of corporate information and intellectual property beyond the company's walls. IT departments need to develop policies to deliver and secure sensitive data on both IT-owned and employee-owned devices.
With a new generation of knowledge workers, end user technology is increasingly becoming a talent recruitment and retention issue. Companies that invest in end user technology and implement innovative technology policy will see advantages as they look to recruit a new generation of knowledge workers.

Conclusion

IT security and vulnerabilities are serious issues. But, it is simply not reasonable to say "no" to business needs simply because a "possible" breech of access to a network or critical data that has such a remote likelihood.

If there are real IT vulnerabilities, identify and correct them. If the vulnerabilities and threats are of the corner case variety, then help the company protect against it by offering the best advice you can. There isn't 100% protection for anything.

The CIO's role is to enable a business, not make it work with one hand tied behind its back. This only serves to undermine business execution and velocity in the business. The CIO can't disable a business because of the threat of occurrences that very likely never will occur.

My mentor, Alan Weiss, often reminds me: "We're looking for success, not perfection." And, so it is in IT as well.

Dave Gardner is a management consultant, speaker and blogger who resides in Silicon Valley. His firm helps clients eliminate business execution issues that threaten profitable and sustainable growth. He is a member of Dell's Customer Advisory Panel. He can be reached through his website at www.gardnerandassoc.com or on Twitter @Gardner_Dave.

Add New Comment

5 Comments

  • Lindsey Niedzielski

    Great post Dave. I really like "its not reasonable to say "no" to business needs simply because of a "possible" breach." I feel like sometimes we allow ourselves to be governed by fear rather than need. We have a community for IM professionals (www.openmethodology.org) and have bookmarked this post for our users. Look forward to reading your work in the future.

  • David Gammel

    I'm not sure they should have phones. I've heard they can be used to spread rumors.

  • David Gardner

    DaveG: I so agree with you. Sometimes, if you put a spotlight on an issue people begin to see things differently. There are already indications that my client is beginning to realize that "resistance is futile" even though the party line a few weeks ago was "circle the wagons--we have to make sure our world doesn't change."

    Paul...I hope executives and CIO's read your white paper which is referenced in the posting. It's a great read and offers many compelling insights that need a much broader audience.

  • Paul D'Arcy

    Dave – Great post and thanks for the kind words about the whitepaper. I look forward to hearing how other CIO’s and IT companies are addressing these always changing security challenges and continuing the conversation. Paul D’Arcy, Dell Large Enterprise Marketing

  • logicDave

    It's unfortunate to see how often this happens in business. In an age staffing cuts and tight deadlines, the idea that we must abstain from using collaboration tools (and that's really what we're talking about) because of a possible security risk, makes the job even more difficult. There's also a misguided trend that existing technologies are perfectly acceptable and secure, while any new technology is highly risky. Make a case for using instant messaging and you're told it's forbidden because it can't be logged (it can), yet we can have conference calls for hours on end in a completely unmonitored environment.