CIOs Need To Learn To Enable, Not Lock Down, Technology
from the just-different dept
Information Week is running an article about the difficulty some CIOs are having with the fact that just about everyone is at least somewhat tech savvy these days -- often just enough to be dangerous. Combine that with the rise of online software in the "Enterprise 2.0" realm and the ability for technology to bubble up rather than come from the top down, and CIOs are finding that their job is changing in ways that they didn't fully expect. Some certainly don't see it as a problem, just a different kind of challenge, but it definitely seems like the very role of the CIO needs to change in some significant ways. Rather than managing all of the technology infrastructure of a company, they're going to have to figure out a way to focus more on enabling other parts of the organization to use technology effectively and efficiently. Obviously, letting individuals or even individual groups in the company set their own tech policy can lead to some problems, but it also opens up the ability for more creativity and new types of communication and apps to bubble up in a more useful manner. This reminds me of a post by Chris Anderson over a year ago. When he was asked to speak to a group of CIOs, he was amazed at how scared they appeared to be by modern technology, rather than energized. There was fear, he noted, that the position of the CIO could soon be extinct. If they're not willing to recognize how the world is changing, then perhaps that's appropriate, but there's no reason why a modern CIO can't focus on the enabling side, rather than the "lock everything down" view of the world.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: bottom up, cios, enterprise 2.0, technology, top down
Reader Comments
Subscribe: RSS
View by: Time | Thread
It sucks to have everything locked down when you know what you are doing, but many people don't do a good job of keeping secure and the loss of productivity and time on the part of the IT staff (and the whole business if you have to bring the system down) is not worth making it so that random users can feel empowered by the ability to control their own PCs.
Efficient technology use is good, but letting the average user decide how best to do it does not seem like a good option, since they may have some knowledge but people like CIO's and IT staffers are much more likely to have a good grasp on finding and training users on new technology.
[ link to this | view in chronology ]
Jimmy... Couldn't agree more
keep it on lockdown!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Servicepacks and the like.
Like: Installing their own screensavers?
No. An easy in for things like malware, offensive material, and noisemakers.
Like: Installing their own productivity apps?
No. It's never tested in conjunction with business-critical apps, until they are installed. When it screws with those apps, WHO gets to fix things? WHO gets to listen to the ANGER when those apps are uninstalled in order to get things working again?
Like: Installing service packs.
No. Service packs ALSO must be tested before installation; they can and DO sometimes break business-critical apps.
"...Patronising users and treating them like ignorant children is a sure-fire way to foster resentment, and enabling users to do simple stuff for themselves like installing Service Packs saves the Tech Support team a lot of unnecessary legwork."
No. Installation of SPs can almost always be scripted to happen automatically, AFTER proper testing has been done.
IT doesn't like denying people, but THIS IS NOT A GAME. We have to support EVERYONE, and look out for the company as a whole. Users may think "what harm can it do" - without testing to say it's OK, NOBODY KNOWS! Users may resent being denied, but they don't know the cost to the company of not having restrictive policies in place. And they (in my 28 years of experience) almost never care, either. It's all "me, me, me", and if you say no, they think you are just being capricious. Users almost universally believe that support is easy, that it's just pressing a few buttons, and that since it's easy and takes no time, IT is just "mean" or "lazy" or "IT just sucks". That's why we hear the universal "Don't worry, we'll support it ourselves" line. In EVERY shop I've been in, EVERY time, when that kind of 'deal' has been accepted, IT ends up supporting the app. Usually in a month or two.
Now, after justifying the cost and testing the implementation, and making sure that authentication, administration and security work with existing systems - heck yeah - users need apps, and companies must remain flexible or go under. But unmanaged desktops and installations in a shop with more than 20 people? That's a recipe for disaster.
Remember that it's not just about YOU. It's about everyone.
[ link to this | view in chronology ]
Re: Servicepacks and the like.
[ link to this | view in chronology ]
Makes as much sense as...
When I proposed this to our CFO, I was amazed at how scared he appeared to be by modern financial tools, rather than energized. There was fear, he noted, that the position of the CFO could soon be extinct. Especially if he gave the keys of the asylum to the inmates.
[ link to this | view in chronology ]
Good point
Complete Lockdown = Standard Systems = Easy Admin = Low Costs (for the IT department)
That is a limited viewpoint but while large corps judge IT departments on smooth, low cost running rather than taking into account the often high costs to the departments being managed (inflexibility, slow response to changes needed such as new software, frustration that increases staff turnover, inability to evaluate new components and applications, etc -- real business costs that can lose orders and kill profits).
I don't favour fully open systems for all users but make sure they have generous rights fully protected by firewalls, AV, anti-spyware, anti-spam, traceability etc rather than privileges they will never need.
Work WITH users: be aware of their real needs even if such interaction is alien to many IT admins and costs more. Accept the small risk associated with new OS’s, frameworks, applications and do staged rollouts in manageable chunks – the business may well suffer in ways you can’t imagine if you choose to wait 2 years to “formally approve” .NET 3.5 before allowing it (as many do)!
FWIW, my (huge multinational) company shows such flexibility and each year shows higher profits and still stays safe – can’t others?
[ link to this | view in chronology ]
Eactly
That is the main point. Control is more of a kingdom protection than security.
[ link to this | view in chronology ]
@ Jake
[ link to this | view in chronology ]
opinions are like....
Think of the scene in 5th element about breaking something creates new jobs...CIO's are only there to make the CEO feel cozy.
[ link to this | view in chronology ]
Re: opinions are like....
[ link to this | view in chronology ]
Enabling not always possible
Half the time we want to deploy something useful and cool, we run in to exactly that issue.
[ link to this | view in chronology ]
Tough to find the middle ground
For me, the bottom line is this -- people will live up to, or even DOWN to, your expectations.
Somewhere there has to be a point where IT gets to do their job effectively and efficiently and myself as a user is not shackled by not having the most effective tools.
I'm not sure what EH talks about when s/he says "government has to move first". Government itself has this very same problem internally like any other company.
I believe that the key is in establishing a corporate culture of mutual respect where the value of IT is recognized and appreciated, and IT stops viewing its clients as a bunch of click-happy Neanderthals.
There is a way to solve this, we just need to move away from the anecdotal water cooler talk and get down to business and work on a solution.
[ link to this | view in chronology ]
Re: Tough to find the middle ground
EVERYONE wants thier job to be easier of course and I.T. folks are no different but you have to realize something... if you allow everyone local admin rights, when one of your users decides that they just have to see that jpeg of a nude Jennifer Anniston that someone they have never heard of sends them the email... they un-intentionally launch the next day zero attack/exploit into the network. Guess what? All your local admins now have been exposed to the worm that is now rapidly makings its way through your network PC to PC, server to server and is either A. Trashing your files... all of them, or worse... B. Sitting stealthed so you dont even know it is there, gleaning all of your information and sending it out covertly to the hacker that wrote the script for him to sell to whomever will buy it. Customer databases, financial information, personal employee information...
People that say users in an enterprise environment should not be locked down have obviously been graced by not having an event on thier network so they just really do not understand why having users as admins is a HORRIBLE idea...
The art of I.T. Security is finding that break even point, or balance, where security meets work functionality requirements. There are ways to let users run software that is poorly written and require a user to have elevated rights to run that do NOT involve giving them local admin rights as well by the way.
And yes, I AM biased as I am an information security officeer for a government entity but have also worked in the private sector for many years (15 to be exact) as a network admin and architect, so I do know a tiny bit about what I am talking about.
[ link to this | view in chronology ]
Point Being....
I get paid to do IT work. That is what i do 98% of the time I am at work. Why is it wrong for us to expect others to do the same.
Do what you get paid to do. I make sure that all of my users are able to do their job. Tell me what is wrong with that!
[ link to this | view in chronology ]
RE: Government moving first
What I'm talking about are the host of arcane regulations that make it difficult, if not impossible, to certify that applications meet the various requirement of the hosts of governmental departments.
[ link to this | view in chronology ]
Locked Down for Multiple Reasons
One example, in California we have SB 1386 which requires a company to notify an individual if any of their personal information has been put at risk of disclosure. Disclosures of this nature not only impact the people whos personal information may have been put at risk, but also damages the reputation and business of the company. It is in the best interest of the company as well as the customers to do what is necessary to prevent these incidents. Typically these breeches occur because a laptop or desktop computer is stolen which has unencrypted personal data on clients. There are two ways to protect the organization from this: (1) enforcing full disk encryption which cannot be turned off by the user (they do not have admin rights) or (2) preventing the storage of data on the local machine by not giving users rights to store data on the local drive (and flushing caches, temp areas etc.)
Another example: at one organization all of the users were on Windows 98. I personally spent 20% of my time tracking down and cleaning systems which had been infected because users downloaded a program which included either spyware or adware. To make it worse, once one machine was infected it tended to spread the infection to others, so that other users who were being "good netizens" were still punished by the acts of the users who were not "good netizens." Once we had funds to upgrade to Windows XP, we rolled out desktops and laptops with group policy restrictions preventing this. In the four years following that change, not one single machine was infected by spyware or adware. The systems were more stable and the users were able to get more work done. At first there was some resistance but the users came to see that it really was not keeping them from doing their jobs and it significantly reduced the amount of time they lost by IT having to repeatedly work on their system to undo whatever mistake they had made.
Another reason: licensing and liability. When users have the ability to bring in software from home or that they got from a friend or share copies of Office etc. your organization can easily find itself on the wrong end of a software licensing audit by Micro$oft, the BSA, etc. All it takes is one disgruntled ex-employee to make a phone call and in come the federal marshalls with the BSA folks to perform an audit of all of your systems. The only way you can protect yourself from this liability is to control who can install software and ensure that there is an employee responsible for tracking all licensing of software, where it is installed etc.
Another way to look at it: do you give root to every user on a Unix/Linux machine, or just to those individuals paid to administer them? My bet is the latter. And you probably use sudo as well. And you do not install software that is not needed.
Simply put, the greatest majority of non-IT employees do not require administrative rights to their computers in order to do the job they are paid to do.
The business has a right and an obligation to protect itself from these risks, even if it means that Joe Blow can't download that "cool screensaver" or "cool game" that is infected with spyware/adware or is a pirated copy. Installing that kind of thing is *not* required by your job, does *not* make you work more efficiently and is *not* in the best interests of the company.
Get over it, get to work, do your job, earn your paycheck, and play with that software at home on your own system on your own time and let the rest of us do our jobs without having to fix your messes.
[ link to this | view in chronology ]
Compliance Compliance Compliance Compliance
Nice of you to expect the IT folks and senior management to put their jobs, careers, and lives in jeopardy (as well as that of the company) so you can be empowered to use the latest bling.
In 20 years of IT (many at CIO level) I have seen dozens of situations where a well meaning user (aren't they all?) evades IT policies and controls to "help" the company and end up creating a big pile a %$#% that IT has to clean up.
> I can't figure out that big old SAP system, I just keep my orders in Excel.
> I'll just help IT out by installing this little wireless access point over here.
> I never liked that report, so I'll just download the data and create my own. Other people like it too, (dumb ol IT!) so I'll just send my report to them to.
> That stupid system won't let me ship the product if I enter the REAL data, so I'll just enter what the system wants and it will move on.
> I wrote this really cool application in FoxPro that we use to value all our inventory.
> Well I could have gone though that complex system required by the FAA, but I'm sure my fix to that engine was correct. IT is sooooo bureaucratic!!! All those signatures and stuff!!!
> Billy is leaving the company and he wanted to keep in touch, so I emailed him the HR database.
> Johnny hates our corporate email system, so he just conducts business from his gmail account but then he got fired. Now he is sending email to customers saying their orders are delayed? How could IT have allowed this to happen???
[ link to this | view in chronology ]
Perspective
This isn't the first time this has been an issue - it's at least the third wave that I have seen (started in 1974 so I do have a slight time advantage)and I write this as an Architect who has managed development divisions and infrastructure consultancies
[ link to this | view in chronology ]
@ Brent et al
In response to Imric's comment, I wasn't actually meaning to imply that users should necessarily install Service Packs etc on their own initiative, merely that they have the ability to run Windows Update themselves rather than wait for the IT Department to send someone round to each individual machine to log in and click a few icons once the all-clear is given; if a majority of a company's office staff can't be bothered to listen when sent a memo saying not to run the automatic update program until the IT department has made sure that it won't knock over a proprietary app, malware on the desktops is probably the least of the company's problems.
[ link to this | view in chronology ]
...
If someone has more rights than they need on a computer then you have just opened it up to attacks. Lets face it, people are careless. They use the same passwords for all aspects of their digital worlds. If i can figure out what a persons password is to say their yahoo email then it is a good possibilty that is what they are using at work also. I want my users to be able to do their job. I make it so that they can. No one has any business installing programs on the work computer. That is not what they are there for.
I have gone into offices and uninstalled games that people have brought and installed. that is not their job. It is also a Copyright violation. I had to uninstall Office 2003 because one of our users did not like WordPerfect. Well neither do i but i had to use it like the rest because we did not have office licenseing.
People get paid to do a job. they need to do it while they are there. As to the updates... we have a WSUS server that installs all of the updates that we authorize, all the users have to do is restart their computers. They have no business trying to do the updates by goin to the windows update site.
[ link to this | view in chronology ]
How about eating your own dog food
A professor of mine who was a security expert taught me that there is a lot of unnecessary FUD created in the minds of computing users. I wholeheartedly agree with him and the practice of risk management to balance security with accessibility and performance using business drivers as the justification for the application of security measures in an organization.
[ link to this | view in chronology ]