Photo: Sharat Sinha, Palo Alto Networks.
According to most information workers, when it comes to security, "IT needs to lead, follow or get out of the way." A 2013 Software-as-a-Service study conducted by Stratecast and sponsored by McAfee reported that 4 out of 5 employees surveyed are knowingly violating company IT rules that they perceive are just getting in their way of doing their work.
Whether we like it or not, far too often security is seen as a roadblock or a showstopper for innovation. More and more employees think it is just easier to find a solution on their own then it is to engage IT and run the risk of getting a "no" due to security concerns. This situation has resulted in a whopping 81 percent of survey respondents saying that they regularly use non-approved web applications to do their jobs, opening up substantial overall security risks to the organisation.
So why are they doing it? When I asked most business managers and employees why they chose to implement unsecured tools like Evernote, Dropbox or Skype, they do not see themselves as skirting the organisation's security policies, but rather as innovators trying to get the job done in spite of "oppressive" and "burdensome" security policies.
The response they generally receive from IT is "we have to allow it for everyone if we allow it for you" making every security discussion an almost certain "no." So what behaviour does this encourage? If employees believe the answer is always going to be "no," rather than follow the rules they just stop bothering to ask at all.
So how can IT become a leader and enabler of innovation, which employees willingly choose to follow, while at the same time continue to ensure the safety of the organisation?
Change the conversation
The solution is to change the nature of the conversation. Instead of saying "no," IT needs to recognise that these applications can in fact add significant value to the organisation. This must be true or employees would not willingly violate company policies in order to use them. Rather than simply blocking these applications, we need to work with the business to understand their value and come to terms on how they can be introduced into the workplace and at the same time be safely enabled.
This approach works and Stratecast agrees. One of their primary recommendations is to:
"Mitigate risks in commonly-used applications. Rather than shut down usage of popular but risk-prone applications, implement a security solution that allows you to control their use. Look for a solution that offers policy-based control over sub-functionality of commercial software—for example, allowing users to access Facebook but restricting the 'chat' function."
Sign up for Computerworld eNewsletters.