I had some very spirited conversations today due to the post this morning about herding kangaroos. The post was basically about the ever-changing business of EMM and how IT has ended up where it currently is. For most people that means they’ve ended up with MDM as a product. The points of the twitter conversation revolved around the fact that users weren’t nearly as smart as I was pointing out, regardless of CoIT (Consumerization of IT) and that they really should be treated as incompetent otherwise they would be security threats. Needless to say I was awfully surprised.
Now, it’s not a new thing to think of your users as a security threat, and as was pointed out by the security person in question, training itself isn’t enough. Everything had to be secured and no endpoint should be left untouched. If users violated the perimeter, then they should be gone as the workforce is replaceable. Surprisingly, this isn’t the first time I have encountered this type of attitude and I think it is a product of the same legacy IT thinking I wrote about yesterday.
The world is truly full of boogey men and if someone desperately wants your data there is very little you can do to stop them in most instances, you may be able to slow them down but that is probably it. The issue I have with this locking down of the enterprise is that it affects the business. As we all work for the business and we know that if they fail, we will eventually fail as well, it presents quite the conundrum.
IT has long been thought of as the police force and security may be looked at as the lawmakers and the SWAT team at the same time. There was a place for that when everything existed on a mainframe or in a general client server environment when computing was only done at one’s desk. We are now at a point where technology has sprung up to give businesses real advantages. It allows them to be more flexible and agile, more efficient and productive. At the same time these tools expose our corporate data to more risks and these have to be dealt with as well. The issue though, is that with the ITization of the consumer, being the big bad parent who says “Because!” no longer cuts the mustard. You need to look at how you enable your users to be more productive while at the same time protecting your assets.
This isn’t solely the responsibility of IT or Security; the business has to play a part in this drama as do the main actors, the users.
The goal is always to enable the business to reach as high as it possibly can and the only way to do that is through partnership. Security and IT have to be involved in the beginning of projects. They need to understand the desired outcomes while gathering the possible risks. At the same time, they have to be aware that the end-user is just looking to be as productive as possible and get the job done in time to spend their downtime doing what they want to do. This means that if security fails to keep this in mind and makes the task to difficult, users will find a new app or device that makes their job easier.
This leads back to the first discussion. Not every user is extremely smart or understands IT very well. The beauty of it is they no longer need to. They have devices and apps stores that allow them to create tools for themselves that are better than anything IT can dream up. They will immediately stop using a crapplication if they can find a better app for the job. A crapplication is an app with a bad UI (User Interface) or UX (User Experience) that makes it harder to get your work done. Security plays its part in respect to the UX and they have to balance the risks with the enablement.
Security can feel free to lock down whatever they like, but if they do it willy-nilly and block the business from doing their job…well, there’s always outsourcing. The trick for IT and Security is to figure out why people are going around the valid controls and then finding a great way to enable them to stay within the control but have a great app experience at the same time. You have to remember, people didn’t start using Dropbox because they wanted to steal information from their company or even expose it, they started using it because it allowed them to be more flexible on when and where they could work on a document. What IT and Security, working with the business could do is, through understanding the business need of allowing the user to be more flexible where they worked, find an alternative to Dropbox that protects the sanctity of the data while provided an awesome user experience. Done correctly, the users will love it. They don’t have to replace their personal files on Dropbox with corporate files that they need to work on as they run out of space, they have a tool that allows them to keep the two separate but accessible.
Users aren’t incompetent, if they were, you wouldn’t hire them to work in your business, but they do need the right tools to get the job done and there’s no reason that job can’t be done securely. If users aren’t given the right tools, they find what they need anyway and give it to everyone else who wants/needs it long before you have a chance to put a stop to it. It becomes very difficult to play the Where’s Waldo game every day.