Where’s Waldo?

by Brian Katz on December 12, 2012 · 5 comments

I had some very spirited conversations today due to the post this morning about herding kangaroos. The post was basically about the ever-changing business of EMM and how IT has ended up where it currently is. For most people that means they’ve ended up with MDM as a product. The points of the twitter conversation revolved around the fact that users weren’t nearly as smart as I was pointing out, regardless of CoIT (Consumerization of IT) and that they really should be treated as incompetent otherwise they would be security threats. Needless to say I was awfully surprised.

Now, it’s not a new thing to think of your users as a security threat, and as was pointed out by the security person in question, training itself isn’t enough. Everything had to be secured and no endpoint should be left untouched. If users violated the perimeter, then they should be gone as the workforce is replaceable. Surprisingly, this isn’t the first time I have encountered this type of attitude and I think it is a product of the same legacy IT thinking I wrote about yesterday.

The world is truly full of boogey men and if someone desperately wants your data there is very little you can do to stop them in most instances, you may be able to slow them down but that is probably it. The issue I have with this locking down of the enterprise is that it affects the business. As we all work for the business and we know that if they fail, we will eventually fail as well, it presents quite the conundrum.

IT has long been thought of as the police force and security may be looked at as the lawmakers and the SWAT team at the same time. There was a place for that when everything existed on a mainframe or in a general client server environment when computing was only done at one’s desk. We are now at a point where technology has sprung up to give businesses real advantages. It allows them to be more flexible and agile, more efficient and productive. At the same time these tools expose our corporate data to more risks and these have to be dealt with as well. The issue though, is that with the ITization of the consumer, being the big bad parent who says “Because!” no longer cuts the mustard. You need to look at how you enable your users to be more productive while at the same time protecting your assets.

This isn’t solely the responsibility of IT or Security; the business has to play a part in this drama as do the main actors, the users.

The goal is always to enable the business to reach as high as it possibly can and the only way to do that is through partnership. Security and IT have to be involved in the beginning of projects. They need to understand the desired outcomes while gathering the possible risks. At the same time, they have to be aware that the end-user is just looking to be as productive as possible and get the job done in time to spend their downtime doing what they want to do. This means that if security fails to keep this in mind and makes the task to difficult, users will find a new app or device that makes their job easier.

This leads back to the first discussion. Not every user is extremely smart or understands IT very well. The beauty of it is they no longer need to. They have devices and apps stores that allow them to create tools for themselves that are better than anything IT can dream up. They will immediately stop using a crapplication if they can find a better app for the job. A crapplication is an app with a bad UI (User Interface) or UX (User Experience) that makes it harder to get your work done. Security plays its part in respect to the UX and they have to balance the risks with the enablement.

Security can feel free to lock down whatever they like, but if they do it willy-nilly and block the business from doing their job…well, there’s always outsourcing. The trick for IT and Security is to figure out why people are going around the valid controls and then finding a great way to enable them to stay within the control but have a great app experience at the same time. You have to remember, people didn’t start using Dropbox because they wanted to steal information from their company or even expose it, they started using it because it allowed them to be more flexible on when and where they could work on a document. What IT and Security, working with the business could do is, through understanding the business need of allowing the user to be more flexible where they worked, find an alternative to Dropbox that protects the sanctity of the data while provided an awesome user experience. Done correctly, the users will love it. They don’t have to replace their personal files on Dropbox with corporate files that they need to work on as they run out of space, they have a tool that allows them to keep the two separate but accessible.

Users aren’t incompetent, if they were, you wouldn’t hire them to work in your business, but they do need the right tools to get the job done and there’s no reason that job can’t be done securely. If users aren’t given the right tools, they find what they need anyway and give it to everyone else who wants/needs it long before you have a chance to put a stop to it. It becomes very difficult to play the Where’s Waldo game every day.

  • http://twitter.com/Wh1t3Rabbit Rafal Los

    Good post Brian … I take exception to this statement: “As we all work for the business and we know that if they fail, we will eventually fail as well, it presents quite the conundrum.” because it perpetuates the silly notion of ‘us’ versus ‘them’… there is no them, it’s just US.
    Whether you work in IT, Security, a janitor or a data entry clerk – you ARE the business, period. Anything less, as Sir Charles would say, is uncivilized.

    You are dead on with the rest of the post, and this is one of those long-standing discussions that security has had, or rather that has been had with security – but I sense that we (security) are finally starting to listen. The main reason for this is that we’re sick of being run over and ignored – that being said, not everyone gets the hint … clearly.

    Keep fighting the good fight, we’re all in this together. The sooner we figure out that we’re all on the same boat and synchronize our movements, the sooner we’ll stop rowing in circles and actually row forward.

    My $0.02

    /Raf

    • http://twitter.com/Bitzer_Walt Walter Paley

      Perfect response, Rafal. Innovation in company culture reaches every level. Got an idea that would revolutionize our operations in any way? I want to hear it!

  • http://twitter.com/EMobilityInside EMobilityInsider

    observed gaps: places where ad-hoc tools are being used to accomplish a process need. It’s those gaps that need funded/sanctioned tools that are not crapplications.

    there now, i read it.

    • http://twitter.com/bmkatz Brian Katz

      The problem with observed gaps, we observe them but we forget to then do something to fill those gaps which shouldn’t be so hard…sigh

  • http://twitter.com/Bitzer_Walt Walter Paley

    Love it, Brian. Right on the money. We’re all responsible for the success of the company, and in a mailroom-clerk-to-VP Hollywood story kind of way, we should be rewarded appropriately!

    When stakeholders decide to limit their employees’ efficiency and ability to do their job, they are essentially stunting the growth of the business and preventing anyone from overachieving. Is that the culture that anyone wants in their company?

    I don’t think there’s one right answer for every company’s mobility strategy – but please have one. Let your culture evolve and let innovation spring from every office. It benefits everyone on board.

Previous post:

Next post: