Are users in your organization fully empowered to utilize their computers -- install and update software, define printers, and perform other routine tasks? Or do they have to call the help desk for every little thing they need done, frequently waiting several days only to be told, "No, we cannot do it" or "It will compromise security" or "It's just not allowed in our organization"?
Having worked in both types of organizations, and having managed the IT environment in an empowered organization as CIO/CISO, I have observed that users in the second type of organization have an antagonistic relationship with IT and information security. They feel security is someone else's responsibility. Experimentation and innovation are low. IT is usually overworked and understaffed and does not enjoy fulfilling the majority of requests, since they are routine and present no new challenges. The typical call volume for service is also very high.
In the empowered organization, users are more conscious of and more engaged in security. There is a collaborative relationship with IT, which is viewed as helpful. Users also recognize and accept information security as their responsibility.
Organizational information security rests on three pillars: technology, policy, and people. Getting the people part right is very important for any organization. Getting it wrong could hurt the organization in many ways. Users could intentionally bypass security measures they do not view as helpful. They could fail to disclose problems or share concerns. They could suppress important ideas and suggestions that could improve the security of the environment.
During a keynote address at a recent CISO Executive Summit in Washington, DC, Ira Winkler, CEO of Internet Security Advisors Group, told CISOs to create a collaborative relationship with users to keep IT from being labeled as the "Department of No." Justin Somaini, CISO of Yahoo, shared similar experiences during an afternoon keynote. He argued that it was important to get users within the organization to accept information security as their personal responsibility. One key way to accomplish this, he said, is to empower users.
Somaini found very little difference in security between empowered and non-empowered environments. But in my own experience, I have observed more virus infections and security issues in organizations with severe restrictions on user capabilities, primarily because the absence of a security culture promoted unsafe user behavior.
The remarks by Winkler and Somaini made me think of the safety culture I observed at a nuclear power plant early in my career. The organization was run according to key values such as safety, employee empowerment (with a questioning attitude), teamwork, customer service, excellence, and diversity. These values were consciously driven throughout the organization. All employees were empowered to question any order they believed would reduce safety. Supervisors could not penalize employees for such questioning. Everyone was encouraged to think continuously of ways to improve safety. Thus, germination of grassroots ideas from people closest to the work was part of the culture. This produced a highly safety-conscious workforce, superior team spirit, a collaborative relationship between workers and management -- and an excellent safety record.
The same principles could achieve a culture of information security within an organization. After all, information security isn't much different from safety.
Granted, in a few highly controlled, top-security environments, empowerment may not be appropriate. Users who work in these environments easily recognize and appreciate the restrictions. However, most enterprises would benefit greatly if a culture of security were cultivated throughout the organization. User empowerment and the cultivation of a collaborative relationship between IT and the user community may be the key ways to foster such a culture.
Read through all the comments only to find you'd said in the first one what I'd planned to say. :) but yes. I'm already hearing stories about that now, that people who want to use the Internet for a small amount of personal use are told they can't, but instead ot not using it, it simply means they bring in tablets and smartphones and do it that way. Similarly, they're told they can't work at home -- so instead they do so in an insecure fashion that results in versioning problems as well.
Yes, the company would be able to track employees but would the IT department want to be on the hunt always? I mean that the IT could be more productive if they were to empower the users rather than only being a watchdog and penalizing the employees who do not follow rules.
It sounds to me like you're only option would be to find a way to use a different network. I hate to say it but like a cellular one.Perhaps someone else has some nifty ideas for you, but if the ATV cannot connect to the enterprise level network, you're SOL. You could check the jailbreak forums and see if there are hacks to enable this. software patents
Yes Syed you have a good point where users might try out things which have been locked out from them but I feel that by doing that the company will be able to track down who are trying bypass company rules and regulations and take strict action against them.
Perhaps there should be designated "insecure" systems for printers .. with an "air gap" between the network that should be secure.
Basically, set up a separate network for "casual use" -- but I suppose that could backfire b/c then ppl get too comfortable with the easy to use network.
The concept many security strategists are thinking about is the conscious promotion of a security culture throughout the organization. Yes the idea of rewards can enter into this. But the rewards do not have to be monetary -- badges of honor -- the concept of gamification and the concept of enterprise social networking can be used effectively to engage everyone even in a very large enterprise. The nuclear power plant where I had observed safety as a culture used to give out certificates, sweatshirts, and name recognition for safety ideas and improvements in safety. Security was always everyone's responsibility -- so it is not a new responsibility we are giving users. Great contributions everyone. Thanks.
@rdv - Security and social networking in the enterprise is quite an extensive discussion. In short, an enterprise must consciously develop internal and external social network environment strategies and associated security policies ensuring that enterprise intellectual capital is protected.
The "collaborative relationship between IT security and users" is a desirable state, but how is this achieved? The bottom line is that in any relationship, there is the question of benefit. How the user see the benefit to him/her will determine the success of the relationship.
Will support of the relationship result is less/no negative sanctions or more "real" positive benefits?
It is my experience that failure to support security policy results in negative sanctions (aka - unplanned career moves). Support of security policies by users are not normally followed by "real" positive benefits to the user.
Maybe it's time to incentivize user support for security with monetary incentives, such as bonuses, stock options etc. We reward employees based on productivity and profits, why can't this be done for IT?IS security in for profit organization. Admittedly, the rewards may have to be appropriately crafted for government and non-profit enterprises.
For this to work, you will have to establish metrics for the organization security posture and base the monetary/financial incentives on annual security related measurements. Radical? Yes, but it will be interesting to see the results.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
The publishing world has long been controlled by powerful companies with high costs, barriers to access, restrictions on distribution, one-sided copyright ownership contracts, and lengthy delays in getting critical information and knowledge out to a broad audience. In this world it often seemed all but the most famous of authors controlled little while publishers controlled everything. In the academic community, the sad result has been an excessive price increase in the cost of textbooks. Technology is finally empowering authors.
In all my years interacting with CFOs, I have not met one who actually understood IT -- not that I expected them to.
Why, then, do I continue to see ads seeking a strategic CIO who will report to the VP of Administration and Finance or the CFO? Sometimes ads are slightly better: CIOs report to the Chief Operating Officer. Those conducting the recruitment will sagely say: “The CIO will have complete empowerment and access to all cabinet members and the president.” However, these organizations appear to lack an understanding of the role of the CIO and the CFO.
After observing and writing about CEOs who do not leverage their CIOs to propel their organizations forward, it was very refreshing to learn about the great CEO/CIO partnership at Kaiser Permanente at this year’s World Health Congress held in Maryland.
Despite an initial round of federal funding to develop state health information exchanges (HIEs) as part of Obamacare, these clearinghouses were challenged to develop a financially sustainable model. Because it addressed sustainability early, the Delaware Health Information Network is viewed by many as a template for HIE success.
It began as a relaxing visit with my college buddy and his family. It became a glimpse into the technology-enabled future of worldwide collaboration in engineering.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
New tools like laptops, tablets, smartphone, and wireless connectivity let us work from San Diego to Katmandu, and anywhere in between. But time management remains a problem.
A survey by JD Powers found that customer interest in product features is lessening as phones evolve. Rather than features, price is driving purchases, and that change could have a dramatic impact on how IT departments secure these devices.
The iPad Mini is the latest iteration of the exploding tablet category. Because most tablets are WiFi-only, they create a new kind of mobile network. The problem is that we don't have issues like roaming and security defined for this new world.
The FBI recently issued a warning to smartphone users, highlighting two mobile malware applications: Loozfan, which steals personal information, and FinFisher, which is spyware that takes over a smartphone's functions.
Intel's numbers say the PC is at risk, and Microsoft's Windows 8 interface is an attempt to make Windows relevant in the tablet age. But Microsoft could be betting too much. A dramatic transformation to cloud-and-appliance would mean a big change for our industry.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
