I was helping a guy on a plane understand what "the cloud" is. Once I did that, we begun a discussion on trust. I shared with him my opinion that we have been trusting other vendors since we started IT. We trust every hardware and software we have not to put backdoor stuff in our hardware or software that is designed to do things we don't know about. We trust technicians to know enough not to use bad passwords. (Of course, sometimes we're wrong.) I don't see trusting a cloud vendor as being so terribly different.
I'm sure a bunch of you will focus on that first paragraph, and not on what this blog post is actually about. But here goes anyway.
Eventually we got to the part of the discussion where he mentioned that "our IT department would never allow that." He explained how he has to carry three laptops (personal, corporate 1 and corporate 2) whenever he travels and how he has to dial four digits on his phone before he makes any calls. I'm guessing that we just hit the tip of the iceberg of how his IT department is soooo security concsious that they have forgotten their primary purpose — to enable people to do work. (BTW, this guy wasn't working on missile launch codes or anything. I forgot what he does for a living but I remember wondering was security was that important for this particular company.)
I ranted a little bit about that to him, to which he replied, "well, they are in charge." I asked who he meant, and he said, "IT."
I just about lost it.
If you are in IT and you think you are in charge, you are wrong. The only thing you are in charge of is helping people get their job done. We buy decent laptops & desktops, so they'll stay up and people can get their job done. We make backups so when things go wrong, we can get people their work back, and let them get their job done. The only reason we do security things is to keep our company from losing the efforts of the people that work there.
Sometimes IT people forget that we are there to serve the business. If you enact a security policy that's so rigid that it slows down people's work, you forgot your job. If you turn on a backup system that slows down the servers, and by association the work of the people, you forgot your job.
You are not in charge. The business is. I feel better now.