CIOs are facing the epic challenge of balancing a secure IT environment, while also managing employee expectations around the technology they need to do their jobs. This predicament isn’t new, but it’s more prominent than ever.
From the employee’s perspective, the capacity to work anytime, anywhere, and on any device is no longer seen as a nice to have – it’s expected. This is largely due to the proliferation of mobile devices, cloud computing, and software as a service (SaaS), all of which make it possible. The fact of the matter is that consumer technology is (and always has been) well ahead of the game compared to enterprise technology. As consumers, we’re spoiled for choice – we’ve been storing our digital lives in the cloud for years now, and sharing content across various messaging platforms.From the employee's perspective, the capacity to work anytime, anywhere, and on any device is no longer seen as a nice to have - it's expected. Click To Tweet
It is not uncommon for IT departments to be seen as the roadblock to productivity, or collaboration for that matter. This is because they are the ones who lockdown your systems, and restrict access to the many online tools and services you rely on. While there’s no doubt a need to maintain a certain level of control, at what point does it become ridiculous?
Before we go on, I’d like to point out that I’m not (or never have been) an advocate for violating IT policy. I simply see myself as someone who’s passionate about helping businesses work smarter. It just so happens that to do this, there may be a clash with what IT departments deem necessary. I must iterate that this post is purely based on observations and opinion. And I welcome comments from IT team members who disagree with me.
In my 10+ years of working for corporates, I’ve seen everything from the sensible and necessary to the outright stupid and pointless.
Below is a list of some of the security measures I’ve seen. While I have my own opinion on what is necessary and what isn’t, I’ll let you decide for yourself…
- Blocking users from installing programs.
- Blocking access to productivity applications, such as Evernote and Google Drive.
- Disabling Chrome sign in, as well as web apps and extensions.
- Disabling Outlook Web Access.
- Mandatory encryption for USB write access.
- Blocking access to file sharing tools like Dropbox.
- Blocking access to collaboration platforms like Slack.
- Using a VPN.
The problem with the above measures is that employees, despite wanting to do the right thing, will often resort to workarounds – which can be bigger risks in themselves. I won’t delve into specific examples of workarounds (that would be irresponsible of me), but let’s just say that I’ve found plenty over the years. They’re not dodgy, risky or complicated – they’re merely a recourse for those who want to work smarter.
Here’s the thing…
While I don’t pretend to be a cybersecurity expert, it’s fair to say that I probably take more security measures than most. I use unique passwords at least 10 characters long (made up of upper and lower case letters, numbers, and special characters). I use two-factor authentication on every service possible. I never allow automatic downloads of images or other attachments. I never use public Wi-Fi. I run regular scans for threats on all devices. I keep all my software, apps, and operating systems up to date. I’ll only download things from reputable sources (like Google), and never from unknown or obscure marketplaces. I read about cybersecurity daily. I never open suspicious looking messages or click on dodgy looking links.
Right now, I know what you’re thinking…
Most people aren’t like you. They don’t put these measures in place.
Fair enough. I understand. But perhaps this is because they don’t understand the threat landscape or what they need to do to protect themselves. Maybe, with the right education initiatives in place, you can strike the right balance between enabling your workforce and maintaining a secure environment. Remember also that the big tech players (probably the ones you use) have pretty robust security baked in.
We haven’t as yet addressed the issue of insider threats – this is, protecting your data from walking out the door. So let’s unwrap this a bit more…
First of all, I’m sorry to say that this is a battle IT teams have already lost. Again, this all goes back to the aforementioned point about workarounds. Then of course there’s the whole BYOD thing, which warrants its own blog post. No matter what sites and services you block with your proxy server, there are countless ways to circumvent this. This is a fact.
If you have employees who want to steal company information, for whatever reason, you have a bigger issue to focus on – what is driving them to do this in the first place? Have they been unfairly treated or dismissed? It’s unlikely that they have penetrated your organisation as a spy for the competition. You’ll find that most, if not all people, want to help your organisation get ahead. To do this, they need to be able to access the right information and resources easily.
I’m not saying that you have to open up or support every online service. Rather, you’re better off working out what tools will best suit your employees’ needs and workflows.
Regardless of vendor, you probably want to at least offer:
- A cloud-based office suite, such as Office 365 or G Suite, which includes adequate storage space.
- A collaboration tool, such as Slack.
- A project management tool like Jira, Trello or Basecamp.
Jeff Goldblum’s memorable quote ‘Life will find a way’ from Jurassic Park isn’t too dissimilar from the situation facing most modern workplaces – employees will (like the dinosaurs) find a way.
So, what are the takeaways from this post?
Well, there are a few that you can take or leave…
- Smart companies will focus on educating employees instead of blocking access to services.
- Smart companies will pay attention to shadow IT – not to prevent it, but to understand why it is happening.
- Smart companies will enable employees to be high performers, rather than hindering how they work.
- Smart companies will leverage cloud, mobile, and SaaS solutions from reputable third-party providers.
- Smart companies will have a responsive IT team that listens, and is approachable.
- Smart companies will be vigilant, but not anal.
- Smart IT departments will perpetually challenge the status quo in response to employee feedback.
I don’t pretend that this conundrum is an easy one for IT leaders, nor do I envy their position and responsibilities. I’m most certainly not downplaying the monumental challenges facing the IT landscape either. And if I come across as naive, I apologise.
I’d love to hear your thoughts – whether you agree or disagree.
Content marketer, blogger, author and tech geek.