>The Wall Street Journal, 22 October 2007 reports on a debate between the CIO of Highmark Inc. (a business education corporation) and the CIO of Google on whether employees’ use of unauthorized technologies at work compromises security or enhances productivity.
Why does locking down the desktop enhance corporate security?
The essential question is “how much leeway should office workers have to try out new technologies on company computers? For many employers, the answer is clear: none at all. Corporate IT departments already have their hands full with viruses, hackers, spyware, and data breaches, without having to worry about employees making those problems worse by adding unauthorized software or devices. Security experts warn that a company’s insiders are responsible for most security headaches, intentionally or inadvertently.”
- Tom Tabor, the CIO of Highmark states: “we recognize that employees just want to be productive…while this may be advantageous, it is also a management issue as far as maintainability, support, and potentially cost.”
Why does unlocking the desktop enhance worker productivity?
“Most employees who work regularly with computers can think of dozens of ways that unauthorized technologies makes it easier to do their jobs, whether it’s Web-based email programs, for sending large files or flash memory drives for taking work files home. And it isn’t just individuals; whole departments are turning to online software providers to handle business needs without the approval, or often the knowledge, of the IT department.”
- Douglas Merrill, the CIO of Google states: “We must give up trying to control everything, and instead focus on the few places that are the most critical.”
How do these CIOs deal with demands for new IT?
- Tabor: “We have a formalized technology-acquisition process that allows employees to submit technologies for review by the IT organization. Through this process, employees have a say in what technologies are considered.”
- Merrill: “At Google, most employees who run Windows are set as power users, not administrators. This allows employees to install some things and change some machine settings, but not everything—basically, we try to protect our employees from themselves. [However,] If they want administrator access, they just have to ask for it…”
In user-centric EA, we follow a similar method to Mr. Tabor’s technology-acquisition process by having an Investment Review Board supported by an Enterprise Architecture Board, where business sponsors can submit decision requests for new IT projects, products, or standards and get these evaluated, authorized, prioritized, and funded. The key is to have a structured process that adds value to the IT investment decision-making without stifling innovation and productivity.
As for locking down the desktop, as a user, I can’t say that I love the restrictions, but as an enterprise architect and IT and business professional, I definitely see the security value to the organization, as well as the benefits to standardizing technologies, developing enterprise solutions, and building a maintainable, cost effective infrastructure.