When it comes to technology, why does IT insist on treating professional business people like children? I realize that’s probably an unfair statement, but I can’t help but think that every time I read a story that talks about the dangers of the Consumerization of IT movement, like this recent one in SC Magazine.
Sure, people lose phones all the time. And IT’s desire to be able to install security software or wipe phones remotely to protect a company’s intellectual property is a very real and legitimate concern. But having worked at a large security company, I also know that people are often the weakest link in security – not technology. If you’ve every flown cross country, then you know what I mean. You’ve probably seen people pull up sensitive information on their laptop for the whole world – at least the whole plane – to see. Heck, I’ve even found company “confidential” reports tucked neatly in the backseat pocket of more than one flight. All the IT issued security in the world can’t police the human factor.
A friend and former security colleague of mine often talked about what he called the “IT box out”. This notion that IT often used security as a sophisticated form of sophistry to justify why things had to be a certain way. I’m reminded of that every time the topic of the Consumerization of IT comes up. IT says, “Oh, we can’t have employees bringing in their phones to access the networks. What if they lose it?” Or, “We can’t have employees building their own applications, because what if it’s not designed securely?” If we choose to go down the “what if” rat-hole of possibilities, why stop there? What if … an employee leaves a confidential report behind? Should we ban paper documents or printing? What if ….. an employee has too many beers at the game, and talks about his big “project” at the office? Should we ban football games? What if ….. an employee talks about their day at work with a spouse, spilling the beans on something important? Should we ban…..You get the picture.
Here’s a radical idea. How about we treat employees like adults and spend more time on educating and enabling them versus trying to control them. Simply put, we explain the importance of keeping things safe and secure, and provide them with the technology – and more importantly the training – to keep things secure. I’ve worked at small and large companies, including 2 Fortune 100 companies. I received training on a variety of HR things, retirement issues, health issues,time management and more. But never in all my years did I ever receive any “security” training. (And remember, I worked for a security company).
I don’t know about you, but my phone has pretty important stuff on it above and beyond my work stuff. Personal email. Facebook account info. Pictures of my children and family. Bank account apps. It’s in my best interest to secure that stuff too. Frankly, I probably value keeping my personal stuff safe far more than I worry about keeping my work stuff safe. Give me the tools and training, and I’ll do it.
Of course, many will say that you can’t count on employees to do the right thing and manage the necessary safeguards. To that I say, if you can’t trust them to act responsibly with their technology, how can you trust them at all?