by Paul T. Cottey

Shall we play a game?

Jan 25, 2016
Data and Information SecurityIT LeadershipSaaS

You cannot win the game of restricting end-user IT against business people with credit cards and expense accounts. The only winning move is not to play.

A strange game. The only winning move is not to play. How about a nice game of chess?

– Joshua/WOPR – War Games

I wrote several months ago about rogue IT and how to work with users who sign up for cloud-based solutions without working with you in IT. This still seems true to me, but it may be a little more complicated and a little more contentious than it needs to be.

I’ve continued to think about end-user IT since then and have simplified my approach to it into six words:

Ban it. Embrace it. Replace it.

Ban it. If there is a security issue with what the user is doing, it remains your responsibility as an IT professional to explain the situation and then to compel the user to stop violating security. Full stop. No arguments permitted that it is “just a little” confidential information or just a “tiny amount” of credit card data. Take it all the way to the CEO and to the Audit Committee if you have to, but you have a responsibility that does not go away because a user wants something different than what you offer. (If you have to go as far as the Audit Committee, you might want to update your resume since your beliefs and the organization’s beliefs regarding security would appear to differ materially.)

Embrace it. If the user has a legitimate business need that you have not met, and there is no security concern, swallow your pride and embrace the solution. Train the users, take responsibility for delivering the solution to your typical service levels, get your standard language into the contract (if possible), and make that capability a part of what you provide to the company. You will gain an ally and avoid being the excuse for work not getting done.

Replace it. Whether you have first had to ban it or whether you first embraced it, if the solution is not the final one you want to offer, then replace it with the right one. For example, if people need shared white board capabilities, and you first embraced a point-to-point solution on their iPads, it is perfectly acceptable to supersede that with one that also works on laptops. You need to be sure that the replacement solution is as robust as the previous one and you will need to provide training in the transition, but you still are permitted to enhance your formal service offerings.

You cannot win the game of restricting end-user IT against business people with credit cards and expense accounts by crossing swords with them. Try a nice game of chess with them, or if you are feeling combative, grab a basketball and play some one-on-one. The best way to win is not to play the game.