Employees Can Compromise Security with Consumer IT

Power users” can be demanding pains in the butt. And tech-savvy managers may be relentless thorns in your side. But the employees with the greatest potential to make your enterprise life a seething hell of killer viruses, data loss, network disruptions, compromised security and contempt for your professional competence are the “ordinary” folks who think their technologies belong on your network (see “Consumer Appeal,” Page 63).

They care not that Skype is a terrific vector for viruses or that a MySpace account will prove to be an information sieve or that making the company’s uber-customized “sales-force automation” system run on their BlackBerrys will take months of programming.

They don’t think twice about using 1-gig memory sticks to back up customer data and then losing the sticks on a trip. Maybe, in the interests of good supplier or customer relationships they’ll put a behind-the-firewall link on del.icio.us to help answer a question or two—and then call your people screaming that you’ve made them look bad because it’s inaccessible.

Employees just suck, don’t they? It’s bad enough that they don’t read the documentation, follow the rules or make even a minimal effort to get the most they can out of internal IT systems. Now they’re bringing every consumer electronics gizmo they’ve purchased, website they’ve accessed and IM account they’ve set up into the enterprise, and they expect you to support them. Just what do they think they’re doing?

The answer to that question is the reason the surging challenge of consumer technologies will get worse before it gets better and why the problem can—at best—be managed and not solved.

An emerging majority of employees honestly believe that the technology they use outside the organization is superior to the technology they use inside the enterprise. They feel they’re getting a swifter and more valuable user experience interacting with eBay than with your supply chain software; Google’s better than your DBMS; Skype beats your phone system; and AOL wins because you don’t allow IM or “buddy lists.”

What’s more, the savvier employees with teenagers look at MySpace and Facebook and wonder why IT isn’t adapting those kinds of social networking genres for project management and hiring systems. They wonder why they get better, faster, cheaper or free software services outside the firewall. They think you’re too slow, cautious, unmotivated. They think you suck. If they like you, they simply think you’re too busy.

So that’s their excuse for bringing external technologies and services into the enterprise: You can’t and/or you won’t.

Further complicating this dynamic is the reality that most of your better employees now take their work home and on the road. Companies have (successfully) used IT to both blur and dissolve the lines between the office and the home. Well, two can play at that game. Employees once dependent on enterprise software to finish a project over the weekend now want to be able to integrate software and services from websites you might not like or trust. Too bad for you.

Historically, IT’s response to technical insubordination is prohibition: Employees are forbidden from using Skype, IM, personal e-mail accounts and so on. I remember that in the 1980s, more than a few Fortune 500 IT shops didn’t allow personal computers. In the 1990s, corporate IT tried to stamp out unauthorized local networks that various workgroups had set up for themselves because IT hadn’t gotten around to supporting them. No wonder IT got a reputation as “user hostile.”

Guess what? Last millennium’s authoritarian/totalitarian IT enterprise culture approach to innovation imports can’t work. Declaring war on external technologies turns your employees into innovation insurgents and “Google guerrillas.” You are defining them as enemies, and enemies have little interest in cooperation and collaboration. No—they’re interested in figuring out workarounds and countermeasures.

They’re not doing this out of spite; they’re doing it because using these tools and technologies makes their work lives easier, better and more productive. Do employees occasionally and, yes, inappropriately use these sites and technologies for personal use—booking travel, buying products, sending personal messages? Of course. Then again, they’re also doing work at home and during personal time while on the road. Does IT really want to be Big Brother, Supernanny and Techno-enforcer all in one? As the CIO, is that the “employee empowerment” brand you want for IT?

Enormous reservoirs of time, money, resources and hostility are consumed in this losing battle to define what employees cannot or should not use. Don’t do it. People will use IM whether you like it or not. People will use their cell phones to access proprietary databases. The core concern is that some of these behaviors are far riskier than others. IT’s traditional role of identifying such risks in order to eliminate them is no longer sustainable—not when the quality of external options is so often superior to the quality of internal service.

There is no cost-effective “solution” to this challenge; there is, however, a constructive approach. Don’t compete; don’t combat; co-opt. Organize advisory groups of employees who flout your rules on external innovation and relentlessly get their input on how helpful you should be. The purpose is not to cater to their whims or get them to like you better. It’s to exchange ideas and insights around risk. It is not your job to eliminate risk; it’s your job to manage it.

You and your folks (should) know way more about the technical risks of these technologies than your employees. How well do you communicate and explain risk scenarios? To what extent do your employees appreciate that there are often very simple, easy things they can do to dramatically reduce their individual and your institutional exposure to risk?

It’s foolish and counterproductive to let IT’s and Legal’s “eliminationist” policies get in the way of good risk management. And it undermines relations with employees when you introduce new systems and services.

How well CIOs and IT should leverage external innovation to amplify core IT processes deserves future discussion. But for now, CIOs need to turn their shops away from declaring war on their digital subversives and instead invite them to better understand the nature of enterprise risk. These people are using these technologies because they’re smart, not because they’re stupid. They’re smart enough to understand the difference between risk elimination and risk management too.