IT is not in charge!

 I was helping a guy on a plane understand what "the cloud" is.  Once I did that, we begun a discussion on trust.  I shared with him my opinion that we have been trusting other vendors since we started IT.  We trust every hardware and software we have not to put backdoor stuff in our hardware or software that is designed to do things we don't know about. We trust technicians to know enough not to use bad passwords. (Of course, sometimes we're wrong.)  I don't see trusting a cloud vendor as being so terribly different.

I'm sure a bunch of you will focus on that first paragraph, and not on what this blog post is actually about. But here goes anyway.

Eventually we got to the part of the discussion where he mentioned that "our IT department would never allow that."  He explained how he has to carry three laptops (personal, corporate 1 and corporate 2) whenever he travels and how he has to dial four digits on his phone before he makes any calls.  I'm guessing that we just hit the tip of the iceberg of how his IT department is soooo security concsious that they have forgotten their primary purpose — to enable people to do work.  (BTW, this guy wasn't working on missile launch codes or anything.  I forgot what he does for a living but I remember wondering was security was that important for this particular company.)

I ranted a little bit about that to him, to which he replied, "well, they are in charge."  I asked who he meant, and he said, "IT."

I just about lost it.

If you are in IT and you think you are in charge, you are wrong.  The only thing you are in charge of is helping people get their job done.  We buy decent laptops & desktops, so they'll stay up and people can get their job done.  We make backups so when things go wrong, we can get people their work back, and let them get their job done.  The only reason we do security things is to keep our company from losing the efforts of the people that work there.

Sometimes IT people forget that we are there to serve the business.  If you enact a security policy that's so rigid that it slows down people's work, you forgot your job. If you turn on a backup system that slows down the servers, and by association the work of the people, you forgot your job. 

You are not in charge.  The business is.  I feel better now.

 


Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at Sullivan Strickler, which helps companies manage their legacy data

6 comments
  • That’s one good post..!! ๐Ÿ™‚
    But still companies have right to protect their intellectual property. These days we are seeing more security breaches and code leak related issues making news.
    There should be a way to control such things.
    Above all things an employee should be responsible on such things and take measured steps as and when needed to protect companies intellectual property.

  • I understand companies have to protect their IP, but I argue that it is secondary to creating it in the first place.

  • Much of the security we’ve implemented at work lately has been related to the requirements of PCI (payment card industry) standards. These affect the end user in seen and unseen ways that may very well slow down productivity. Yet it is a part of the cost of doing business if the company wants to be able to accept credit cards for payments.

  • @Bob

    Right. The business told you that you needed to comply with PCI, so you did. That’s not what I’m talking about. What I’m talking about is when IT takes it upon themselves to dictate both the requirements and the solution. A similar issue is when IT lies to the business and says that a given solution is the only way to comply with a given requirement, when in reality, it’s the only solution that IT likes that complies with it. IT should present the various solutions, their respective business cases and their impact on the environment, and then let the business make a business decision on which one to implement.

  • Someone who requires a user to carry three laptops around doesn’t understand multiple boot partions, HD encryption, and or virtualization. There are few if any reasons to force someone to lug that much hardware around if you are willing to leverage those three technologies. I bet is IT Director is someone who yearns for the good old days of the VAX.

  • IT need to remember that it’s their role to effectively articulate the security risk (in terms of both likelihood and impact) and it’s the business’ role (be it Finance or someone who owns an impacted P&L) to make the call, in context of the opportunity/benefits. Both sides are usually at fault, with the business not actively taking (back) the accountability for the decision, and IT for not pointing out it’s not their risk to take.