Forget about securing the apps and the users – think about the data – this was where my last post left off. Let me give an example taken from my career as it is a handy lesson taken from the trenches…
Three years ago I ran IT for a small software business entailing around 250 employees. At that juncture, I was still very much of the opinion that the users of IT needed to be controlled and that they needed the help of my IT team to be able to have access to the tools that were needed to do their jobs. At one point it became clear that, while the user population continued to attempt to demonstrate why they needed the latest laptops (every 6 months or so) with ever increasing CPU power and need for more RAM and HDD than the hardware would actually support, there was a somewhat larger issue of also requiring large external hard drives. These drives were often pitched to the IT team as required to always have the company introduction presentation or the latest set of templates for software configuration and / or tender documents available for use on any customer / partner’s PCs. At the time, it seemed like “if we can’t have bigger hard drives in our underpowered laptops and you won’t sanction the company purchase of external hard drives, then we will just use our own external drives and will get on just fine, thanks”. So, clearly I was seriously concerned over the significant potential for loss of corporate data via USB memory sticks and the like, resulting in a project initiated to ensure corporate data security (safety) would be guaranteed. This very project immediately taught me that I was no longer concerned about the applications that a user could access (other than the obvious licensing issues of course), but the potential for data loss and just how important that data was to the very core of the business. It was the lifeblood, plain and simple, and needed treating like the VIP that it was.
It was following this epiphany that I opened the doors for things such as the breadth of mobility devices that the business would allow to access corporate data and the VPN was opened to enable access from devices other than the laptops that were under the control of the IT department. For many of the users, I am sure this was seen as “a result for the user population” and that “those idiots in IT may actually understand our needs after all”. I remain sure those users had no real concern over the security of the data or indeed the value of such data in the wrong hands and most likely still don’t today. However one thing is for sure, on the whole, the productivity of the user population took an upwards step following just a couple of seemingly simple motions. There were still some device level controls that were needed on the mobile devices that were to have access to corporate emails such as the forced wipe should a password be incorrectly input (say) 5 times in a row. These would offer a small level of protection for the business in the short term while better solutions could be sought. In time, a few users made requests for their own devices to have access to corporate systems and in all cases accepted the downsides of the device security in order to use their devices for business.
A few things of note here;
So, from the early days of users bringing in their own USB HDD, I found that slightly more technically aware users were making use of some new technologies that were effectively disk space sat out in the cloud. These were simply known to me as DropBox products – lots of similar technology, each offering either more available disk space or broader reaching granting client software, most offering some form of entry level free of use product.
As a note, DropBox itself was introduced to me by none other than Doug Brown of DABCC.com about 5 years ago as he attended a technical event that I hosted. Doug had found this new beta tech and was using it as a means of sharing documents and the like with his friends. It was Windows only client back then but was a cool way to share things without the need for a USB drive OR better still without needing to even be able to physically see the individual you wished to share the document with. OK, so email existed but this was a way cooler way to share since the recipient could simply grab the content at his / her convenience via a simple network share, and would be able to receive updated versions of the document, or indeed collaborate on the document as it was improved as time passed.
So as I fast forward to present day, a couple of these companies have subsequently dropped away, no doubt having struggled to ‘upgrade / migrate’ users from the free offering to a fully paid up monthly subscription, thus helping to fund the plethora of free users using the service as a simple free to use file sharing technology.
The end user themselves still want the simplicity of these solutions and as a result continue to use them (for BOTH personal and business purposes), the corporate wishing that these technologies would just disappear since they are wide open for Intellectual Property Right (IPR) abuse, with their own users holding corporate sensitive data out there in hyperspace with little or no security in place. Stalemate???
Maybe, but there are a number of solutions (the first that come to mind listed here) either available or becoming available to help ease the swallowing of the pill for the IT group;
Do these suggestions actually fit the needs of the end user? Will they still go off and do their own thing? Time will tell of course…
What will the next generation CIO do? What do YOU think? It would be great to hear your thoughts on this here.